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PREFACE 


The Defense Science Board Task Force on Information Warfare (Defense) was established at 
the direction of the Under Secretary of Defense for Acquisition and Technology. By 
USD(A&T) Memorandum for the Chairman, Defense Science Board, dated October 4, 1995, 
the Task Force was directed to “focus on protection of information interests of national 
importance through the establishment and maintenance of a credible information warfare 
defensive capability in several areas, including deterrence.” Specifically, the Task Force was 
asked to: 

• Identify the information users of national interest who can be attacked through the 
shared elements of the national information infrastructure. 

• Determine the scope of national information interests to be defended by information 
warfare defense and deterrence capabilities. 

• Characterize the procedures, processes, and mechanisms required to defend against 
various classes of threats to the national information infrastructure and the 
information users of national interest. 

• Identify the indications and warning, tactical warning, and attack assessment 
procedures, processes, and mechanisms needed to anticipate, detect, and characterize 
attacks on the national information infrastructure and/or attacks on the information 
users of national interest. 

• Identify the reasonable roles of government and the private sector, alone and in 
concert, in creating, managing, and operating a national information warfare-defense 
capability. 

• Provide specific guidelines for implementation of the Task Force’s recommendations. 

For the purpose of this report, the terms national and national-level are assumed to include 
Federal, state and local governments, academia, associations, public interest organizations, 
and the private sector. 

This report presents the conclusions and recommendations of the Task Force based on study 
efforts of the Task Force and Panels created by the Task Force to address specific areas of 
interest. The report is organized as follows: 

• Executive Summary. 

• Section 1, Introduction, provides background information. 

• Section 2, Environment, describes factors pertinent to the study effort. 

• Section 3, Observations, provides the major findings of the Task Force. 

• Section 4, What Should We Defend?, identifies the information users of national 
interest and scope of interests to be defended. 

• Section 5, How Should We Defend?, suggests processes and procedures necessary to 
defend the users against the threats. It includes a discussion of required indications 
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and warning, tactical warning, attack assessment, and continuity of operations 
organizations and procedures. 

• Section 6, Recommendations, presents recommendations, and provides specific 
guidelines for implementing the recommendations. It includes a discussion of the 
reasonable roles of government and the private sector and concludes with resources, in 
addition to current INFOSEC budgets, required to implement the recommendations. 

• Section 7, Summary, briefly summarizes the report and suggests some immediate 
actions. 

Appendices are provided as background and resource information. They do not represent a 
consensus view of the Task Force and recommendations contained in the Appendices are 
not Task Force recommendations to the Department. Some of the appendices were used in 
part as input to the main body of this report. Other appendices are provided because they 
contain useful information for further discussion of matters addressed in the main body of the 
report. 

At about the same time that the Task Force was created, the President signed a major policy 
directive regarding the protection of critical infrastructures such as telecommunications, 
electric power, and transportation. This directive resulted in the creation of a Critical 
Infrastructures Working Group (CIWG) to address the manner in which the directive should 
be implemented. The CIWG recommendations were implemented with some modification in 
Executive Order 13010, Critical Infrastructure Protection which was signed by the President 
on July 15, 1996. E.O. 13010 establishes a President’s Commission to, in part, 

• Assess the scope and nature of the vulnerabilities of, and threats to, critical 
infrastructures, 

• Determine what legal and policy issues are raised by efforts to protect critical 
infrastructures, and 

• Recommend a comprehensive national policy and implementation strategy for 
protecting critical infrastructures from physical and cyber threats and assuring their 
continued operation. 

Given these parallel and closely related activities, the Task Force elected to address 
information warfare (defense) issues and provide conclusions from both the national and 
Department of Defense perspectives. However, the Task Force recommendations are 
specifically oriented on the Department of Defense. Department of Defense dependencies on j 
national level activities for information warfare (defense) are provided to the Secretary of j 
Defense for possible transmittal to the President’s Commission for use in their deliberations. | 
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EXECUTIVE SUMMARY 


The Environment 

The national security posture of the United States is becoming increasingly dependent on U.S. 
and international infrastructures. These infrastructures are highly interdependent, particularly 
because of the inter-netted nature of the information components and because of their reliance on 
the national information infrastructure. The information infrastructure depends, in turn upon 
other infrastructures such as electrical power. 

Protecting the infrastructures against physical and electronic attacks and ensuring the availability 
of the infrastructures will be complicated. These infrastructures are provided mostly (and in 
some cases exclusively) by the commercial sector; regulated in part by federal, state, and local 
governments; and significantly influenced by market forces. Commercial services from the 
national information infrastructure provide the vast majority of the telecommunications portion 
of the Defense Information Infrastructure (DH). These services are regulated by Federal and state 
agencies. Local government agencies regulate the cable television portion of the information 
infrastructure. Power generation and distribution are provided by very diverse activities— the 
Federal government, public utilities, cooperatives, and private companies. Interstate 
telecommunications are regulated by the Federal Communications Commission, intrastate 
telecommunications by the state public utilities commissions. Interstate power distribution is 
regulated by the Federal Energy Regulatory Commission, intrastate power generation and 
distribution by the state public utilities commissions. 

Observations 

Information infrastructures are vulnerable to attack. While this in itself poses a national security 
ttireat, the linkage between information systems and traditional critical infrastructures has 
increased the scope and potential of the information warfare threat. For economic reasons, 
increasing deregulation and competition create an increased reliance on information systems to 
operate, maintain, and monitor critical infrastructures. This in turn creates a tunnel of 
vulnerability previously unrealized in the history of conflict. 

Information warfare offers a veil of anonymity to potential attackers. Attackers can hide in the 
mesh of inter-netted systems and often use previously conquered systems to launch their attacks. 
The lack of geographical, spatial, and political boundaries offers further anonymity and legal and 
regulatory arbitrage; this lack also invalidates previously established “nation-state” sanctuaries. 

formation warfare is also relatively cheap to wage, offering a high return on investment for 
resource-poor adversaries. The technology required to mount attacks is relatively simple and 
ubiquitous. During information warfare, demand for information will dramatically increase 
while the capacity of the information infrastructure will most certainly decrease. The law 
particularly international law, is currently ambiguous regarding criminality in and acts of war on 
information infrastructures. This ambiguity, coupled with a lack of clearly designated 
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responsibilities for electronic defense hinders the development of remedies and limits response 
options. 

Exhibit ES-1 shows additional observations. 


Information warfare has been particularly troublesome for 
the intelligence community 

We lack a common vocabulary 

Resources are focused on classified content and systems 
It is easy to make the IW-D problem too hard 
Acquisition policy and practices pose dilemmas 
However, a lot can be done 
And DoD must start now! 


Exhibit ES-1. Observations 


What Should We Defend? 



The current Administration’s national security strategy for the United States suggests that the 
nation’s “economic and security interests are increasingly inseparable” and that “we simply 
cannot be successful in advancing our interests — political, military and economic — without 
active engagement in world affairs.” In the broad sense, then, the scope of national information 
interests to be defended by information warfare defense and deterrence capabilities are those 
political, military, and economic interests. These include the continuity of a democratic form of 
government and a free market economy, the ability to conduct effective diplomacy, a favorable 
balance of trade, and a military force that is ready to fight and that can be deployed where 
needed. These interests are supported by the delivery of goods and services that result from the 
conduct of functional activities such as manufacturing, governing, banking and finance, and the 
like. Some of these activities are critical to the nation’s political, military, and economic 
interests. These critical functional activities, in turn, depend on information technology and 
critical infrastructures such as banking and finance, electric power, telecommunications, and 
transportation. 

In general, U.S. infrastructures are extremely reliable and available because they have been 
designed to respond to disruptions, particularly those caused by natural phenomena. Redundancy ' 
and diverse routing are two examples of design techniques used to improve reliability and 
availability. However, deregulation and increased competition cause companies operating these 
infrastructures to rely more and more on information technology to centralize control of their 
operations, to support critical functions, and to deliver goods and services. Centralization and 
reliance on broadly networked information systems increase the vulnerabilities of the 
infrastructures and the likelihood of disruptions or malevolent attacks. 

The information users of national interest who can be attacked through the shared elements of the 
national information infrastructure are those responsible for performing the critical functions 
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7“ PreSerVe its abll,, y t0 MAH ^ basic missions. To do 

avail^lkv of n^t CnSUred 0perati ° n ° f Critical functions 

aymlabihtyof information necessary to fulfill those missions. The intertwined nature of the 

chons of national interest and supporting infrastructures add to the complexity there are 

critical functions which have national security implications and which must be defended- and 

nScdonr 0 " 8 ° f 11,6 infm “ WhiCh “ — * f0rthe notation of Demand 

How Should We Defend? 

The conc ep t for defending tbe infonnation infrastructure and the information components of 
other cntical mfrastructures includes the following principles: P 

* warfare mUS ‘ * C3P3b ' e ° f ^ Permed the presence of infonnation 

* “ m “ m eSSenUal infrastnlc,ure ca P abili 'y must ex ' st to support these critical 

• Point and layered defenses are preferable to area defenses 

• The infrastructure must be designed to function in the presence of failed components 
systems, and networks. The nsk associated with failed components, systemsfand 
networks must be managed since it cannot be avoided 

* ShiSST" COntrol filnC ‘ i ° nS Sh0Uld n °' bC dependeM on “»“> oration of die 

• The infrastructure must be capable of being repaired. 

17 ’ f ° r defen n ?"« is 35 follows - the infonnation age as in the nuclear age deter is the 

first line of defense^ This deterrence must include an expression of national will as expressed in 

££££&£? 7 rel3tiVe ‘° conse ^ ue nces of an information wX ^cO 

survive arf attack^ tSoZOiT 7“°" r " h ' reSiUe " cy ° f 11,6 ‘"formation infrastructure to 

Si. Technology to conduct information warfare is simple and ubiquitous- some 

imZsribl’e^S'S' 1 ' ™ bUSt ” eSS “ d Protection is essential. It is technically and economically 
impossible to design and protect the infrastructure to withstand any and all disruptions ’ 

mansions, or attacks (or avoid all risk). The risk can be managed, however by protecting 

selected portions of the infrastructure that support critical functions and activities necessak - for 

P °f ' mlllta0 '' and economic interests. An equally important function ism verify 
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££ a,,ack assessmem - “> iteration ensures die continuance of 
mese critical functions and activities in the presence of disruptions or attacks The essence of 

tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring 
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and detection of infrastructure disruptions, intrusions, and attacks are also an integral part of ti^ 
defense against information warfare. Providing an effective monitoring and detection capability 
will require some policy initiatives, some legal clarification, and an ambitious research and 
development program. The telecommunications infrastructure will be subject to some form of 
attack and we should have some capability to limit the damage that results and to restore the 
infrastructure. Little research has been devoted to the basic procedures necessary to contain 
“battle” damage, let alone the tools which might provide some automated form of damage 
control. Some form of attack assessment is essential to determine the impact of an attack on 
critical functions and the appropriate response to an attack. Restoration of the infrastructure 
implies some capability to repair the damage and the availability of resources such as personnel, 
standby services contracts, and the like. The basic functions of monitoring, detection, damage f 
control, and restoration must begin at the lowest possible operating level. Reports of the activity 
must be passed to regional, DoD, and national-level organizations to establish patterns of activ : 
and to request assistance as needed in damage control and restoration. Finally, some form of 
response to the intrusions or attacks may be necessary to deter future intrusions or attacks. The 
response could entail civil or criminal prosecution, use of military force, perception management; 
diplomatic initiatives, or economic mandates. Because response might also involve offensive 
information warfare, this report does not address it in detail. 


Recommendations 

The Task Force makes 13 key recommendations as shown in Exhibit ES-2. The Task Force 
considers these recommendations as imperatives. 


Bottom Line - DoD has an urgent need to: 

1 . Designate an accountable IW focal point 

2. Organize for IW-D 

3. Increase awareness 

4. Assess infrastructure dependencies and vulnerabilities 

5. Define threat conditions and responses 

6. Assess IW-D readiness 

7. “Raise the bar” (with high-payoff, low-cost items) 

8. Establish a minimum essential information infrastructure 

9. Focus the R&D 

10. Staff for success 

11. Resolve the legal issues 

12. Participate fully in critical infrastructure protection 

13. Provide the resources 

DSB has been urging action on this problem for 3 years! 


Exhibit ES-2. Recommendations 


In addition, the Task Force made over 50 additional recommendations, which are categorized 
under these key recommendations. (Note that the first recommendation addresses all of 
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information warfare, not just defensive information warfare.) The Task Force attempted to 
prioritize these “key recommendations,” but in the end decided that portions of all of these key 
recommendations should be implemented immediately. 

The following discussions provide all of the recommendations made by the Task Force. The 
parenthetical entry following each of the key recommendations identifies the section of the report 
in which the recommendations are discussed in detail. 

1. Designate an accountable IW focal point (6.1). This is the most important recommendation 
the Task Force offers. The Task Force believes that the Secretary of Defense needs a single focal 
point charged to provide staff supervision of the complex activities and interrelationships that are 
involved in this new warfare area. This includes oversight of both offensive and defensive 
information warfare planning, technology development and resources. The SECDEF should: 

la. Designate ASD(C3I) as the accountable focal point for all IW issues. 

la(l). Develop a plan and associated budget beginning in FY 97 to obtain the 
needed IW-D capability. 

la(2). Authorize ASD(C3I) to issue IW instructions. 
la(3). Consider establishing a USD(Information). 

lb. Establish a DASD(TW) and supporting staff to bring together as many IW 
functions as possible. 

2. Org aniz e for IW-D (6.2). This key recommendation identifies the need for specific IW-D 
related capabilities and organizations to provide or support the capabilities. While not 
specifically addressed by the Task Force, virtuai organizations that draw on existing assets and 
capabilities can be established. 

2a. Establish a center to provide strategic indications and warning, current 
intelligence, and threat assessments. The SECDEF should request the DCI to: 

2a(l). Establish an I&W/TA center at NSA with CIA and DIA support. 

2a(2). Task and resource the Intelligence Community to develop the 
processes for Current Intelligence, Indications and Warning, and Threat 
Assessments for IW-D. 

2a(3). Encourage the Intelligence Community to develop information-age 
trade craft, staff with the right skills, and train for the information age. 

2a(4). Conduct comprehensive case studies of U.S. offensive programs and a 
former foreign program to identify potential indicators — collection, funding, 
training, etc. 

2a(5). Establish an organization to examine and analyze probable causes of 
all security breaches. 

2a(6). Develop and implement an integrated National Intelligence 
Exploitation Architecture to support the organization and processes. 
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In addition, the SECDEF should: -| 

2a(7). Direct the development of I W Essential Elements of Information. 

2b. Establish a center for IW-D operations to provide tactical warning, attack j 
assessment, emergency response, and infrastructure restoration capabilities. The j 
SECDEF should: j 

2b(l). Establish a DoD IW-D operations center at DISA with NCS, NSA, and 
DIA support 

1 

2b(2). Develop and implement distributed tactical warning, attack 
assessment, emergency response, and infrastructure restoration procedures.: 

2b(3). Interface the operations center with Service and Agency capabilities | 
and I&W/TA support. jj 

2b(4). Establish necessary liaison (e.g., with military and government 
operations centers, service providers, intelligence agencies, and computer j 
emergency response centers). J 

2c. The SECDEF should establish an IW-D planning and coordination center i 
reporting to the ASD(C3I) with interfaces to the intelligence community, the Joint \ 
Staff, the law enforcement community, and the operations center. This center will;- 
develop an IW planning framework; assess IW policy, plans, intelligence support, l 
allocation of resources, and IW incidents; develop procedures and metrics for assessing! 
infrastructure and information dependencies; and facilitate sharing of sensitive ; ; 

information such as threats, vulnerabilities, fixes, tools, and techniques within DoD and. 
among government agencies, the private sector, and professional associations. 

2d. Establish a joint office for system, network and infrastructure design. This 'i 
office will: develop and promulgate IW-D policies, architectures, and standards; design 
the information infrastructure for utility, resiliency, repairability, and security; develop 
and implement an IW-D configuration management process; and conduct independent i 
verification of design and procurement specifications to ensure compliance with the j 
design. The SECDEF should: j 

2d(l). Establish a joint security architecture/design office within DISA to 
shape the design of the DoD information infrastructure. i 

2d(2). Establish a process to verify independently and enforce adherence to. 
these design principles. i 

‘I 

2e. Establish a Red Team for independent assessments. The Red Team would assess 
the vulnerabilities of new systems and services and would conduct “IW-like” attacks to; 
verify the readiness posture and preparedness of the fighting forces and supporting 
activities. The SECDEF should: q 
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2e(l). Establish a Red Team which is accountable to SECDEF/DEPSECDEF 
and independent of design, acquisition, and operations activities. 

2e(2). Develop procedures for employment of the Red Team. 

3. Increase awareness (63). The Task Force strongly suggests the need to make senior-level 
government and industry leaders aware of the vulnerabilities and of the implications. To that 
end, the SECDEF should: 

3a. Establish an internal and external IW-D awareness campaign for the public, 
industry, CINCs, Services, and Agencies. 

3b. Expand the IW Net Assessment recommended by the 1994 Summer Study to 
include assessing the vulnerabilities of the DU and NIL 

3c. Review joint doctrine for needed IW-D emphasis. 

3d. Explore possibility of large-scale IW-D demonstrations for the purpose of 
understanding cascading effects and collecting data for simulations. 

3e. Develop and implement simulations to demonstrate and play IW-D effects 
(USD(A&T) lead). 

3f. Implement policy to include IW-D realism in exercises. 

3g. Conduct IW-D experiments. 

4. Assess infrastructure dependencies and vulnerabilities (6.4). Various infrastructures are 
vitally needed to support mobilization, deployment, and employment of forces and to control and 
sustain those forces. Some of these interconnected infrastructures are known to have single 
points of failure. Therefore, the SECDEF should: 

4a. Develop a process and metrics for assessing infrastructure dependency. 

4b. Assess/document operations plans infrastructure dependencies. 

4c. Assess/document functional infrastructure dependencies. 

4d. Assess infrastructure vulnerabilities. 

4e. Develop a list of essential infrastructure protection needs. 

4f. Develop and report to the SECDEF the resource estimates for essential 
infrastructure protection. 

4g. Review vulnerabilities of hardware and software embedded in weapons systems. 

5. Define threat conditions and responses (63). Conditions analogous to DEFCON should be 
developed to provide a common understanding of IW threat conditions. Appropriate responses 
to these conditions should also be developed using the Task Force suggestions outlined in the 
report as a starting point. The SECDEF should: 
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5a. Define and promulgate a useful set of IW-D threat conditions which is 
coordinated with current intelligence community threat condition definitions. 

5b. Define and implement responses to IW-D threat conditions. 

5c. Explore legislative and regulatory implications. 

6. Assess IW-D readiness (6.6). A standardized process is necessary to enable commanders to 
assess and report their operational readiness status as it relates to their specific dependency on 
information and information services. Using the standard vocabulary suggested by the Task 
Force, the SECDEF should: 

6a. Establish a standardized IW-D assessment system for use by CINCs, MilDeps, 
Services, and Combat Support Agencies. * '/ 

6b. Incorporate IW preparedness assessments in Joint Reporting System and Joint i 
Doctrine, for example. | 

7. “Raise the bar” with high-payoff, low-cost items (6.7). There are a number of low-cost 
acti vitiesthe Department can undertake to “raise the bar” significantly for potential systems and ! 
network intruders. Three specific Task Force recommendations are that the SECDEF should: 

7a. Direct the immediate use of approved products for access control as an interim j 
until a MISSI solution is implemented and for those users not programmed to I 
receive MISSI products. \ 

7b. Examine the feasibility of using approved products for identification and 
authentication. ; 

7c. Require use of escrowed encryption for critical assets such as databases, l 
program libraries, applications, and transaction logs to preclude rogue employees 1 
from locking up systems and networks. 

j 

8. Establish and maintain a minimum essential information infrastructure (6.8). A strategy 
and an overall architecture concept employing existing core capabilities such as Milstar must be \ 
developed to serve as a means for restoring services for critical functions and adapting to large- " 
scale outages. The SECDEF should: 

8a. Define options with associated costs and schedules. 

8b. Identify minimum essential conventional force structure and supporting 
information infrastructure needs. 

8c. Prioritize critical functions and infrastructure dependencies. 

8d. Design a Defense MEII and a failsafe restoration capability. ] 

8e. Issue direction to the Defense Components to fence funds for a Defense MEII - 
and failsafe restoration capability. 


ES-8 


9. Focus the R&D (6.9). While many commercial and approved security products are available 

IT'?™ ° f " CedS - l“*«* « do no, mlTSIe rS„Ts 

J!“ d . large ." scale ^tnbuted computing environments and generally do not protect against 

“ng^r ° K - the SECDEF Sh0U ' d f0C “ S ‘ h = ° 0D ^ Progranfon L 

9a. Develop robust survivable system architectures. 

and t00lS for modelin 8- monitoring, and management of 
large-scale distributed/networked systems. 

9c. Develop tools and techniques for automated detection and analysis of localized 
or coordinated large-scale attacks. 

9d* pevelop tools for synthesizing and projecting the anticipated performance of 
survivable distributed systems. 

9e. Develop tools and environments for IW-D oriented operational training. 

IW-£ SLCtdfc “°- basedl “ echanfc - 1 r—ainnang emerging 

In addition, the SECDEF should work with the National Science Foundation to: 

9g. Develop research in U.S. computer science and computer engineering programs. 

9h. Develop educational programs for curriculum development at the 
undergraduate and graduate levels in resilient system design practices. 

10. Staff for success (6.10). A cadre of high-quality, trained professionals with recognized 
career paths is an essential ingredient for defending present and future information systems. The 

Task Force recommends that the SECDEF: 

10 L E ? ta “ is ! 1 f career P ath and mandate training and certification of systems and 
network administrators. 

10b. Establish a military skill specialty for IW-D. 

10c. Develop specific IW awareness courses with strong focus on operational 
preparedness in DoD’s professional schools. 

th ® ,egal issues (6 ' n )* ^ adv ent of distributed computing has and will continue 
to ftirther blur the boundaries of the systems and networks that the Department uses. Confusion 
aJso stems from uncertainty over when or whether a wiretap approval is needed. Government- 
wide guidance, and perhaps legislation as well, are needed in the areas of Department assistance 
o the pnvate sector (e.g.. Computer Security Act), tracing attackers of unknown nationality 
(intelligence versus U.S. persons), tracking attackers through multiple systems, and 
obtainmg/requinng reports of computer-related incidents from the private sector owners and 
operators of critical infrastructures. The SECDEF should: 
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11a. Promulgate for Department of Defense systems: 

• Guidance and unequivocal authority for Department users to monitor, 
record data, and repel intruders in computer systems for self protection. 

• Direction to use banners that make it clear the Department’s 
presumption that intruders have hostile intent and warn that the 
Department will take the appropriate response. 

• 1W-D rules of engagement for self-protection (including active response) 
and civil infrastructure support. 

lib. Provide to the Presidential Commission on Critical Infrastructure Protection 
proposed legislation, regulation, or executive orders for defending other systems. 

12. Participate fully in critical infrastructure protection (6.12). The Task Force makes the 
following recommendations to the SECDEF regarding the activities of the President’s 
Commission on Critical Infrastructure Protection. Detailed suggestions for each of the below 
recommendations are outlined in Section 6. 1 2. 

12a. Offer specific Department capabilities to the President’s Commission. 

12b. Advocate the Department’s interests to the President’s Commission. 

12c. Request the Commission provide certain national-level capabilities for the 
Department 

12d. Suggest IW-D roles for government and the private sector. 

13. Provide the resources (6.13). The Task Force reviewed all of the individual 
recommendations categorized under the key recommendations and estimated to $5 million 
granularity what the implementation costs might be. The cost estimate is $3.01 billion over 
fiscal years 1997 through 2001. However, the Department should make a detailed estimate. 
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SECTION 1.0 


INTRODUCTION 


The Task Force was formed in November of 1995. It met formally eight times. Four individual 
panels were formed to address specific issues and each met about the same number of times. 
During the course of the study, the Task Force drew upon previous DSB Task Force efforts. 

Some recurring themes will be pointed out later in the report. 

The objective of the study was to make recommendations regarding the creation and maintenance 
of specific aspects of a national information warfare defense capability. Exhibit 1-1 shows the 
specific tasks outlined by the terms of reference. 


• TOR #1 - Identify the information users of national interest who can be 
attacked through the shared elements of the national information 
infrastructure. This should include telecommunications, public 
transportation, financial services, public safety, and the mission essential 
functions of the Department of Defense. 

• TOR #2 - Determine the scope of national information interests to be 
defended by information warfare defense and deterrence capabilities. 

• TOR #3 - Characterize the procedures, processes, and mechanisms 
required to defend against various classes of threats to the national 
information infrastructure and the information users of national interest. 

• TOR #4 - Identify the indications and warning, tactical warning, and attack 
assessment procedures, processes, and mechanisms needed to 
anticipate, detect, and characterize attacks on the national information 
infrastructure and/or attacks on the information users of national interest 

• TOR #5 - Identify the reasonable roles of government and the private 
sector, alone and in concert, in creating, managing, and operating a 
national information warfare-defense capability. 

• TOR #6 - Provide specific guidelines for implementation of the Task 
Force’s recommendations. 


Exhibit 1-1. Terms of Reference 

In addition to the Terms of Reference objectives, the Task Force was requested to look at 
additional items of interest shown in Exhibit 1-2. The National Research Council study was 
mandated by Public Law 103-160, Defense Authorization Bill for Fiscal Year 1994, November 
30, 1993. Pre-publication copies of this report were released May 30, 1996. Because of the 
potential role of cryptography in information warfare - defense (IW-D), the Task Force was 
encouraged to review the NRC report in the context of the Task Force deliberations. To avoid 
duplication and to provide additional focus to the study, the Task Force received briefings on the 
study of the Global Information Infrastructure sponsored by the Director of Central Intelligence. 
This excellent study effort provided valuable insights into the global implications of defensive 
information warfare. 
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• DoD 

- Organization for defensive information warfare 

- Legislation and enforcement 

- Enabling technologies 

- Indications and warning/response center 

- Intellectual framework/taxonomy 

- Intelligence community 

- Red teaming 

• NRC study on “Cryptography’s Role in Securing the 
Information Society” 

• DCI study of the Global Information Infrastructure 

• Presidential Commission on Critical Infrastructure 

Protection 


Exhibit 1-2. Additional Items of Interest 

During the Task Force deliberations, the President signed Presidential Decision Directive 39 (late 
1995) and Executive Order 13010 (July 15, 1996). These established a President’s Commission * 
on Critical Infrastructure Protection. The Commission was tasked to develop a comprehensive : 
national policy and implementation strategy for protecting critical infrastructures from physical 
and cyber threats. The Task Force was advised that after review and approval of the Task Force 
report by OUSD(A&T), the Defense Science Board will forward its report to the Commission as 
a “statement of DoD issues, concerns, requirements, and recommendations.” 

The sponsors of the study were the Honorable Emmett Paige, Jr., Assistant Secretary of Defense 
for C3I; and VADM Arthur K. Cebrowski, Director for C4 Systems, Joint Staff. 

Task Force members are shown in Exhibit 1-3. A variety of disciplines were 
represented — academia, the telecommunications, banking, and aerospace industries, systems j 
integrators, former military — and a number of members with former government service. In 
order to examine the issues more closely, the Task Force organized into four panels. j 


I 


i 


Exhibit 1-3. Task Force Members S 


v 


Mr. Duane Andrews, Chairman Mr. Donald C. Latham, Vice Chairman 


Mr. John G. Grimes 

Org’n and Mgmt Panel Chairman 
Mr. Paul A. Strassmann, 

Policy Panel Chairman 

Mr. Edward C. Aldridge 
Mr. Stewart A. Baker 
Dr. Delores M. Etter 
Mr. Charles A. Fowler 
Dr. George H. Heilmeier 
Mr. John Lane 

Mr. Alan J. McLaughlin 


Gen. Bernard P. Randolph, USAF (Ret) 
Technology Panel Chairman 
Mr. Lawrence T. Wright, 

Threat Panel Chairman 

Mr. Bob Nesbit 

Dr. Percy A. Pierre 

Mr. John P. Stenbit 

Mr. Lowell E. Thomas 

ADM Harry D. Train H, USN (Ret) 

Dr. Willis H. Ware 

CDR Frank Klein, Executive Secretary 
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SECTION 2.0 


ENVIRONMENT 


2.1 GROWING DEPENDEN C Y, GROWING RISK 

The objective of warfare waged against agriculturally-based societies was to gain control over 
their principal source of wealth: land. Military campaigns were organized to destroy the 
capacity of an enemy to defend an area of land. 

The objective of warfare waged against industrially-based societies was to gain control over their 
principal source of all wealth: the means of production. Military campaigns were organized to 
destroy the capacity of the enemy to retain control over sources of raw materials, labor and 
production capacity. 

The objective of warfare to be waged against information-based societies is to gain control over 
the principal means for the sustenance of all wealth: the capacity for coordination of socio- 
economic mter-dependencies. Military campaigns will be organized to cripple the capacity of an 
information-based society to carry out its information-dependent enterprises. 

In the U.S. society, over 60 percent of the workforce is engaged in information-related 
management activities. The value of most wealth producing-resources depends on “knowledge 
capital” and not on financial assets or masses of labor. Similarly, the doctrine of the U.S. 
military is now principally based on the superior use of information. 

‘The joint campaign should fully exploit the information differential, that is, the 
superior access to and ability to effectively employ information on the strategic, 
operational and tactical situation which advanced U.S. technologies provide our 
forces.” [Joint Pub. l,p. IV-9] 

The military doctrines shaping U.S. force structure and operational planning assume this 
information superiority. “Joint Vision 2010 focuses the strengths of each individual Service on 
operational concepts that achieve Full Spectrum Dominance” This technological view is shared 
m the Army’s “Enterprise Strategy” and “Force XXI Concept of Operations,” the Navy’s 

“Forward... From the Sea,” the Air Force’s “Global Presence,” and the Marine’s “Operational 
Maneuver from the Sea.” 

The capstone Joint Vision 2010 provides the conceptual template for how America’s Armed 
Forces will channel the vitality and innovation of our people and leverage technological 
opportunities to achieve new levels of effectiveness in joint warfighting. It addresses the 
expected continuities and changes in the strategic environment, including technology trends and 
their implications for our Armed Forces. It recognizes the crucial importance of our current high- 
quality, highly trained forces and provides the basis for their further enhancement by prescribing 
how we will fight in the early 2 1 st century. This vision of future warfighting embodies the 
improved intelligence and command and control available in the information age and goes on to 
develop four operational concepts: dominant maneuver, precision engagement, full dimensional 
protection, and focused logistics. 
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Tt k not prudent to expect the U.S. dependence on information-dominated activities for wealt 
producing and for national security to go unchallenged. In his book, Strategy: the logic of war 
and peace [1987, Belknap Press, pages 27-28], Edward Luttwak notes: 


The notion of an ‘action-reaction’ sequence in the development of new war 
equipment and newer countermeasures, which induce in turn the development o 
counter-countermeasures and still newer equipment, is deceptively familiar. That 
the technical devices of war will be opposed whenever possible by other devices 
designed specifically against them is obvious enough. Slightly less obvious is the 
relationship (inevitably paradoxical) between the very success of new devices and 
their eventual failure: any sensible enemy will focus his most urgent efforts on 
countermeasures meant to neutralize whatever opposing device seems most 
dan gerous at the time. 


The reality is that the vulnerability of the Department of Defense-and of the nahon-to 
offensive Information warfare attack is largely a self-created problem. Program by program, 
economic sector by economic sector, we have based critical functions on madequamly Rotated 
foWnmnutme services. In aggregate, we have created a target-nch environment and the U.S. 
industry* has sdd globally much of the generic technology that can be used to smke these targets. 

Despite the enotmous cumulative risk to the nation’s defense posture, at **“ ' to T" 

level there still is inadequate understanding of the threat or acceptance of responsibility for the 
consequences of attacks on individual systems that have the potential to cascade throughout th 

larger enterprise. 

A case examined in some detail by the Task Force was the dependence of the Global 
Transportation Network on unclassified data sources and the GTN interface to the Global 
Command and Control System (GCCS). GCCS will continue to increase in imporim 
b^Tes the system of systems through which CINCs, JTFs, and other commanders gain access 
tornore and different information sources. Although GCCS has undergone selected security 

testing, much remains to be accomplished. For example, securi ^ 
principally upon Oracle databases and applications evaluation. Other GCCS aspects need 
thorough security testing; e.g., database applications (Sybase), message fu " ct ' onS ^ 
configuration management. GTN and GCCS are not unique circumstances. The Global Combat 
Support System and § a long series of Advanced Concepts Technology Demonstrations currently 
shaping the future of C4ISR follow a remarkably similar pattern: Well-mtentioned program 
managers work very hard to deliver an improved mission capability m a constrained budget 
environment. The operators they are supporting do not emphasize security and nei er °P e ™ ors 
nor developers are held responsible for the contribution their individual program makes to the 
collective risk of cascading failure in the event of information warfare attack. 

To reduce the danger, all defense investments must be examined from a network- and 

^r^tnicture-oriented perspective, recognizing the collective risk that can grow from individual 
decisions on systems that be connected to a shared infrastructure. Only those programs that can 
operate without connecting to the global network or those that can operate with an accepted level 
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of risk in a networked information warfare environment should be built. Otherwise, we are 
paying for the means that an enemy can use to attack and defeat us. 


The shift from the industrial age to the information age and the implications are illustrated in 
Exhibit 2-1. 



Exhibit 2-1. A Fragile Foundation 

The United States formerly enjoyed a broad-based manufacturing foundation to support other 
infrastructures and conventional and nuclear forces. With the increasing dependence on 
information and information technology, that broad-based foundation has been reduced to a 
rather narrow base of constantly changing and increasingly vulnerable information and 
information technology. Service and joint doctrine clearly indicate an increasing dependence of 
future forces on information and information technology. However, the doctrine of information 
superiority assumes the availability of the information and information technology — a dangerous 
assumption. The published Service and joint doctrine does not address the operational 
implications of a failure of information and information technology. 

By analogy, consider the protection implications of adding an aircraft carrier to our force 
structure. The carrier does not deploy in isolation. It is accompanied by all manner of ships, 
aircraft, and technology to ensure the protection of the entire battle group: destroyers for picket 
duty, cruisers for firepower, submarines for subsurface protection, aircraft and radar for early 
warning, and so on. The United States must begin to consider the implications of protecting its 
information-age doctrine, tactics, and weapon systems. It can not simply postulate doctrine and 
tactics which rely so extensively on information and information technology without comparable 
attention to information and information systems protection and assurance. This attention, 
backed up with sufficient resources, is the only way the Department can ensure adequate 
protection of our forces in the face of the inevitable information war. 
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INFORMATION warfare 


2,2 

.. , , Ctv . r ;ficallv examined IW-D, it also considered of a few of the concepts 
Sff" warfare to help define the battiefield upon which the defense must 

operate 
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developing, maintaining, and ^^inS logic-based 

insider, create false informa , P to the globally shared telecommunications 

weapons againstan information sys ^ latest information on how to exploit many 

"?gnau"^d seTunty flaws of commercial computer software is freely available on 
the Internet. 


UlW IlUWinww 

linear outputs from modest inputs ■ Th'S P may Qnly be a ^or cost component of a 

S S S" database of the items in a warehouse costs much less then the 
physical items stored in the warehouse. 


pny»u;ai 

As an example of why information w ^ e SSworks but largely 

migrated to distributed computing sys e ■ t line c f defense — a carry-over from the days 

still depend on the use of fixe passwor though we know that network 

of the stand-alone mainframe computer. ^ We do JJj computer add resses, US er 

analyzers have been and cont ‘ n ^ ° L lntemet ^d unclassified military networks, 

identities, and user passwords fro ™^ h p^ords to masquerade as legitimate users and 

«*** so t ware tools which ensure * at * ey can 
take control of the computer and erase all traces of their entry. 


IBjfJC luimvi ~ jt 

lt is important io stress that 

hacking into a few computers—the Task Fc > ^ i^knees. The Task Force agrees that 

that a few individuals caneasilybnng with suita ble automated tools) to break 

it is easy for skilled individuals (or less sta P > P ^d t0 steal files, install malicious 

and for the duration of the attacker’s choosing. 


CUlU JLUi tllV 
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press. Many of these acknowledges that malicious software can be 

scale terronst attacks. The Tas means of activation and that the effect 

emplaced over time with a common tone n S| such an attack cannot be ruled out, the 

could be of the scale of a major concurrent attack, wnne su 
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probability of such is assessed to be low. Currently, however, there is no organized effort to 
monitor for unauthorized changes in operational software even though for the past 3 years 
unknown intruders have been routinely been penetrating DoD’s unclassified computers. 

The above assessments do not mean that the threat of offensive information warfare is low or that 
it can be ignored. The U.S. susceptibility to hostile offensive information warfare is real and will 
continue to increase until many current practices are abandoned. 

Practices that invite attack include poorly designed software applications; the use of overly 
complex and inherently unsecure computer operating systems; the lack of training and tools for 
monitoring and managing the telecomputing environment; the promiscuous inter-networking of 
computers creating the potential for proliferating failure modes; the inadequate training of 
information workers; and the lack of robust processes for the identification of system 
components, including users. By far the most significant is the practice of basing important 
military, economic and social functions on poorly designed and configured information systems, 
and staffing these systems with skill-deficient personnel. These personnel often pay little 
attention to or have no understanding of the operational consequences of information system 
failure, loss of data integrity, or loss of data confidentiality. 

Information warfare defense is not cheap, nor can it be easily obtained. It will take resources to 
develop the tools, processes, and procedures needed to ensure the availability of information and 
integrity of information, and to protect the confidentiality of information where needed. 
Additional resources will be needed to develop design guidelines for system and software 
engineers to ensure information systems that can operate in an information warfare environment. 
More resources will be needed to develop robust means to detect when insiders or intruders with 
malicious intent have tampered with our systems and to have a capability to undertake corrective 
actions and restore the systems. 

Note that the appropriate investment in an information warfare defense capability has no 
correlation with the investment that may have been made to obtain an offensive information 
warfare capability. Information warfare defense encompasses the planning and execution of 
activities to blunt the effects of an offensive information warfare attack. However, the value of 
an investment in information warfare defense is not a function of the cost of the information or 
information system to be protected. Rather, the value of the defense is a function of the value to 
the defender of an information-based activity or process that may be subject to an information 
warfare attack. 

If the defender leaves unprotected vital social, economic, and defense functions that depend upon 
information services, then the defender invites potential adversaries to make an investment in an 
offensive information warfare capability to attack these functions. To provide a robust deterrent 
against such an attack, an information-dependent defender should invest wisely in a capability to 
protect and restore vital functions and processes and demonstrate that the information services 
used are robust and resilient to attack. 
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• The network standards and transmission codes that facilitate interconnection and 
interoperation between networks, and ensure the privacy of persons and the security of 
the information carried, as well as the security and reliability of the networks. 

• The people — largely in the private sector — who create the information, develop 
applications and services, construct the facilities, and train others to tap its potential. 

Many of these people will be vendors, operators, and service providers working for 
private industry. Every component of the information infrastructure must be developed 
and integrated if America is to capture the promise of the Information Age. 

We call out domains within this infrastructure by names that reflect the interest of the user: the 
Defense Information Infrastructure of the defense community; the National Information 
Infrastructure of the United States; the complex, interconnected Global Information Infrastructure 
of the future described so well to the Task Force by the representatives of the Central Intelligence 
Agency. The reality is that almost all are interconnected. 

DoD has over 2.1 million computers, over 10,000 LANs, and over 100 long-distance networks. 
DoD depends upon computers to coordinate and implement aspects of every element of its 
mission, from designing weapon systems to tracking logistics. In field testing, DISA has 
determined that at least 65 percent of DoD unclassified systems are vulnerable to attack. 

Consider how this state come about. 


The early generations of computer systems presented relatively simple security challenges. They 
were expensive, they were isolated in environmentally controlled facilities; and few understood 
how to use them. Protecting these systems was largely a matter of physical security controlling 
access to the computer room and of clearing the small number of specialists who needed such 
access. 

As the size and price of computers were reduced, microprocessors began to appear in every 
workplace, on the battlefield and embedded in weapons systems. Software for these computers 
is written by individuals and firms scattered across the globe. Connectivity was extended, first to 
remote terminals, eventually to local- and wide-area communications networks, and now to 
global coverage. What was once a collection of separate systems is now best understood as a 
dynamic, ever-changing, collection of subscribers using a large, multifaceted information 
infrastructure operating as a virtual utility. 

These legacy computer systems were not designed to withstand second-, third-, or “n”-order-level 
effects of an offensive information warfare attack. Nor is there evidence that the computer 
systems presently under development will provide such protection. The cost for totally 
hardened” systems is prohibitive. Security criteria at present presume that computing can be 
protected at its perimeter, primarily through the encryption of telecommunications links. 
However, internal security may be more important than perimeter defense. 

It is not necessary to break the cryptographic protection used to protect telecommunications and 
data to attack classified computing environments. The legacy protection paradigm used by DoD 
was based upon the classification of information. However, most classified computer systems 
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a co-worker who shares authorized access to a telecomputing environment is behaving 
appropriately. 

In sum, we have built our economy and our military on a technology foundation that we do not 
control and which, at least at the fine detail level, we do not understand. 

A few words about the environment are important to set the stage for later discussions. DoD’s 
information infrastructure is a part of a larger national and global information infrastructure. 
These interconnected and interdependent systems and networks are the foundation for critical 
economic, diplomatic, and military functions upon which our national and economic security are 
dependent. Exhibit 2-2 shows a few examples of those functions, the importance of information 
and the information infrastructure to each, and the criticality of functions such as coalition 
building in responding to a regional crisis. 


• DoD’s information infrastructure 
is part of an interconnected set 
of military, commercial, national 
and international interdependent 
networks and systems 

• Critical functions are heavily 
dependent on the infrastructures 
and information 

- Economic 

• Manufacturing and distribution 

• Free trade 

- Diplomatic 

• Coalition building 

• Crises stabilization 

- Military 

• Deployment 

• Coalition warfare 

• Sustainment 

Exhibit 2-2. Infrastructures and Dependencies 

The United States is an information and information systems dominated society. Because of its 
ever-increasing dependence on information and information technology, the United States is one 
of the most vulnerable nations to information warfare attacks. The United States and its 
infrastructures arc vulnerable to a variety of threats ranging from rogue hackers for hire to 
coordinated trans-national and state-sponsored efforts to gain some economic, diplomatic or 
military advantage. Exhibit 2-3 depicts some of the vulnerabilities. 
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But these interconnected 
networks and systems are 
vulnerable 

_ U.S. is one of the most 
vulnerable nations 

- Information technology change 
is faster than that of security 
solutions 

, And it's getting worse 
_ Globalization 
_ standardization 

- Regulation/deregulation 

• Open network architecture 

• Collocation 

• interconnection 
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Exhibit 2-3. Vulnerabilities 
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Exhibit 2-4 illustrates the variety of network and computer system vulnerabilities which can be 
exploited, starting with simply making too much information available to too many people. The 
number of holes is mind-boggling — an indication of the complexity and depth of defensive 
information warfare task! 


• Human factors 

• Protocol-based 

- Information freely available 

- Weak authentication 

- Poor password choices 

- Easily guessed sequence numbers 

- Poor system configuration 

- Vulnerability to “social 

- Source routing of packets 

- Unused header fields 

engineering” 

• Denial of service 

• A uthentication-based 

- Network flooding 

- Password sniffing/cracking 

- “Spamming" 

- Social engineering 

- Morris worm 

- via corrupted/trusted system 

* Cryptosystem weaknesses 

• Data driven 

- Inadequate key size/characteristics 

- Directing E-mail to a program 

- Mathematical algorithm flaws 

- Embedded programming 

• Key Management 

languages 

- Deducing key 

• Microsoft word macro 

- Substituting key 

• Postscript printer 

- Intercepting key 

- Remotely accessed software 

- Setting key 

• JAVA, Active-X 

• Bypassing 

• Software-based 

- Capture data before encryption 

- Viruses 

- Turn off encryption 

- Flaws 

- Replay 

- Excess privileges 

- U nused security features 

- Trap doors 

- Poor system configuration 

- Denial of service 


Exhibit 2-4. Vulnerabilities/Exploitation Techniques 

Take, for example, “Remotely accessed software,” which is found in the left column under Data 
Driven.” Distributed software objects, such as JAVA and Active-X, are the wave of the future. 
Rather than having software reside permanently in workstations or desktop computers, the 
Internet will make applications and data available as needed. The applications and data are 
deleted from the workstations or desktop computers after use. The danger of this just-in-time 
support is that the user has no idea as to what might be hidden in the code. Another aspect of 
distributed computing is that the definition of system boundaries becomes very blurred. This 
suggests considerable future difficulty in defining what can and cannot be monitored for self- 
protection, an implication discussed in Section 6. 1 1 , Resolve the Legal Issues, with legal 
recommendations. 

The implication s that a risk management process is needed to deal with the inability to close all 
of the holes. Since this subject has been treated extensively by other study efforts (e.g., the Joint 
Security Commission) the Task Force elected not to examine risk management. 

2.4 THREAT 

There is ample evidence from the Defense Information Systems Agency and the General 
Accounting Office of the presence of intruders in DoD unclassified systems and networks. 
Briefings and reports to the Task Force have reinforced the DISA experience. Exhibit 2-5 shows 
some of the threats involved. 
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• Unknown intruders are in DoD networks and computers 

- Services and DISA experience 

- GAO report 

• U.S. networks and computers are of significant interest 

- CIA, DIA, and NSA briefings 

• FBI survey - ‘There is a serious problem” 

• Threat to the public switched network is significant 

- NCS and NSTAC 

. Growing interest in sharing sensitive information 

- Government and industry Network Security Information Exchanges 

- DoJ Industry Information Center 

• We can’t let our confidence in technological superiority 

blind us to a growing threat 

Exhibit 2-5. The Threat is Real 
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Exhibit 2-6. Threat Assessment 
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The incompetent threat is an amateur that by some means (perhaps by following a hacker recipe 
or by accident) manages to perform some action that exploits or exacerbates a vulnerability. This 
category could include a poorly trained systems administrator who assigns privilege groups 
incorrectly, which would then allow a more nefarious threat to claim more privileges on a system 
than would be warranted. 

The hacker threat implies a person with more technical knowledge who to some degree 
understands the processes used and has the intent to violate the security or defenses of a target to 
one degree or another. The hacker threat is broad in motivation, ranging from those who are 
mostly just curious to those who commit acts of vandalism. 

The disgruntled employee threat is the ultimate insider threat: the individual who is inside the 
organization and trusted. This threat is the most difficult to detect because insiders have 
legitimate access. 

When examining the potential for information warfare activities, the potential for a criminal or 
non-govemmental attack for economic purposes must be considered. Information is the basis for 
the global economy. Money is information; only approximately 10 percent of the time does it 
exist in physical form. As information systems are increasingly used for financial transactions at 
all levels, it is natural to expect all levels of criminals to target information systems in order to 
achieve some gain. 

The increasing interconnectivity of information systems makes them a tempting target for 
political dissidents. Activities of interest to this group include spreading the basic message of 
their cause by a variety of means as well as inciting others to actions. An example is the political 
dissident in this country who sent out e-mails urging folks to send e-mail bombs to the White 
House server. 

By attacking those targets in a highly visible way, the terrorist hopes to cause the media to 
provide a great deal of publicity of die action, thereby further disseminating the message of fear 
and uncertainty. 

A significant threat that cannot be discounted includes activities engaged on behalf of competitor 
states. The purpose behind such attacks could be an attempt to influence U.S. policy by isolated 
attacks; foreign espionage agents seeking to exploit information for economic, political, or 
military intelligence purposes; the application of tactical countermeasures intended to disrupt a 
specific U.S. military weapon or command system; or an attempt to render a major catastrophic 
blow to the United States by crippling the National Information Infrastructure. 

It is necessary to distinguish between what a layman might consider a “major disruption,” such as 
the three New York airports simultaneously being inoperable for hours; and a “strategic” impact 
in which both the scope and duration are of dramatically broader disruptions. The latter is likely 
to occur at a time in which other contemporaneous events make the impact potentially 
“strategic,” such as during a major force deployment. 
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government-sponsored theft and transfer to offshore competitors of intellectual property from 
U.S. manufacturing firms. 

The media also reports instances of disgruntled employees, contract employees, and ex- 
employees of firms using their access and knowledge to destroy data, to steal information, to 
conduct industrial espionage, invade privacy-related records for self-interest and for profit, and to 
conduct fraud. (An MCI employee electronically stole 60,000 credit card numbers from an MCI 
telephone switch and sold them to an international crime ring. MCI estimated the loss at $50 
million.) Malicious activity by “insiders” is one of the most difficult challenges to information 
assurance. 

DISA reported that it responded to 255 computer security incidents in 1994 and to 559 incidents 
in 1995. Of these, 210 were intrusions into computers, 310 were virus incidents, and 39 fell into 
another category. This is probably just the tip of a very large iceberg. Last year, DISA personnel 
used “hacker-type” tools to attack 26,170 unclassified DoD computers. They found that 3.6 
percent of the unclassified computers tested were “easily” exploited using a “front door” attack 
because the most basic protection was missing and that 86 percent of the unclassified computers 
tested could be penetrated by exploiting the trusted relationships between machines on shared 
networks. Worse, 98 percent of the penetrations were not detected by the administrators or users 
of these computers. In the 2 percent of the cases where the intrusion was detected, it was only 
reported 5 percent of the time. This works out to be less than one in a thousand intrusions are 
both detected and reported. These detection and reporting statistics suggest that up to 200,000 
intrusions might have been made into DoD’s unclassified computers during calendar year 1995. 

Whatever the number, unknown intruders have been routinely breaking into unclassified DoD 
computers, using passwords and user identities stolen from the Internet, since late 1993. Once 
the intruders enter the computers masquerading as the legitimate users, they install “back doors” 
so that they can always get back into the computer. These intruders have gained access to 
computers used for research and development in a variety of fields: inventory and property 
accounting, payroll and business support, supply, maintenance, e-mail files, procurement, health 
systems, and even the master clock for one-fourth of the world. They have modified, stolen, and 
destroyed data and software and have shut down computers and networks. 

Such intrusions are not limited to DoD. Information age “electronic terrorists” have penetrated 
commercial computers and data-flooded or “pinged” network connections to deny service and 
destroy data to further their cause: an environmental group sponsored such attacks to call 
attention to their message and to punish a business with which they disagreed. 

In the early 1980s an intruder required a high level of technical knowledge to successfully 
penetrate computers. By the early 1990s automated tools for disabling audits, stealing 
passwords, breaking into computers, and spoofing packets on networks were common. These 
tools are easy to use and do not require much technical expertise. Most have a friendly graphical 
user interface (GUI); automated attacks can be initiated with a simple click on a computer 
mouse. 
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A CD-ROM entitled The Hacker Chronicles, Vol II, produced by P-80 Systems and available at 
hacker shows for $49.95, contains hundreds of megabytes of “hacker” and information securi y 
information including automated tools for breaking into computers. The package carries this 

warning notice: 

The criminal acts described on this disk are not condoned by the publishers and 
should not be attempted. The information itself is legal, while the usage of such 
information may be illegal. The Hacker Chronicles is for information and 
educational purposes only. All information in this compilation was legally 
available to the public [readily available on the Internet] poor to this 

publication. 

Attacks are not just based on the use of smart tools. Simple social engineering— impersonation 
and misrepresentation to obtain information— remains very productive. The ruses are many. 
"yb”dTproviding a free software upgrade that has been doctored to circumven : scam* a 
“customer” demanding and receiving support over the telephone from a customer-oriented firm. 

Additional details on the Task Force assessment of the threat are provided in Appendix A, Threat 
Assessment. 

The nature of the danger is evident in an assessment of the current risk, which is based on the 
presence of a threat; the vulnerabilities of our networks and computing systems; the measures 
available to counter an attack; and the impact resulting from the loss of critical mformation, 
information systems, or information networks. This is depicted in Exhibit 2-7. 

| — * " Vulnerabilities magnify ^ J 
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Exhibit 2-7. The Risk — A Clear and Present Danger 
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The Task Force 


believes that the overall risk is significant because of the following factors: 


. The current threat is significant 
• The vulnerabilities are numerous 

* “fthe Department to fulfill its misstons. 
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SECTION 3 


OBSERVATIONS 


The Task Force agrees with the observation of the Deputy Secretaiy shown in Exhibit 3-1 below. 
This section discusses several areas in the Department and m the larger national security 
environment where we can make rapid progress on responding to this challenge. 

“This is not a problem we will solve. It is one we can get 
a handle on. ” - DEPSECDEF White 
While information warfare is a national security issue that 
goes beyond DoD, it is warfare and DoD must play a major 

role. 

Information warfare is different 

- IW attack objective is generally a SDllfial tunctiQn <?r a process * 
targets include 

• Information 

• Computers 

• Systems 

• Networks 

• Facilities 

• People 

- It's adaptive 


Exhibit 3-1. Initial Observations 

The threat Dosed by information warfare is not limited to the realm of national defense, and the 
effort to control the problem must encompass broader national security interests, inclu ing 
"ssTdvi. agencies, regulatory bodies, law enforcement, the In.elhg.nce Communtty, 

and the private sector. 

Unlike an attacker in conventional war, an attacker using the tools of information warfare can 
strike at critical civil functions and processes such as telecommunicw 
banking or transportation and other centers of gravity or even at the stability of the socml 
structure, withoutfirst engaging the military. Such a strategic information warfare attack can 
occur without forewarning or escalation of other events. In addition, attacks on the civil 
infrastructure could impede the actions of the military as much as a direct attack on the military s 

force generation processes or command and control. 

However we should not forget that information warfare is a form of warfare, not a crime or act 
of terror ’ The Secretary of Defense individually and the Department of Defense collectively, 
"o basic^rTsponsibilicies — to provide for the “common defense” of the Un, ted States, and 
to be "ready to fight ... with effective representation abroad” [A National Security Strategy o 
Encasement and Enlargement, The White House, February 1996]. By first focusing on 
fm^vtag its ability to manage the information warfare challenge to die defense mission, the 


3-1 



’ - . ; ^ 1 -v- .'.u .... f '.j-'.u, 1 .»■ 
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national centers of gravity. 

Exhibit 3-2 suggests some additional ^^'"^ C ^°™^onytnity to potential attackers, 
conventional warfare. Information warfare « ^ ^ often use previously 

Attackers can hide in the mesh ofmtenn ^ spatial , political 
systems to launch their attacks. The lack g P is *„ relatively cheap to wage as 

cyberspace offers further monymity lnfomrati ^ ^ investmen t for resource-poor 
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Exhibit 3-2. Information Warfare is Different 
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Exhibit 3-3 shows that information warfare has been particularly troublesome for the Intelligence 
Community because IW is a non-traditional intelligence problem. It is not easily discernible by 
traditional intelligence methods. Formerly, capabilities were derived from unique observables 
and indicators of military capability open to our sensors, amenable to cataloging in databases, 
and understandable by classic analytic techniques. With information warfare, however, the 
following elements come into play: 


• Relevant questions 

- What do we need to know? What should we look for? Where do we look? 

• Traditional methods are not effective 

- Observables, indicators, experience, databases, analysis techniques, ... 

- Suggesting intent will be extremely difficult 

• Key commercial technologies have lethal possibilities 

• Technology is ubiquitous and relatively simple 

• “Business” processes are complex 

• HUMINT is still extremely important 

• Required skill set much broader and deeper in educational level 

- Computer scientists, network engineers, electronics engineers, business 
process engineers 

- Mo re MSs and PhDs 

Exhibit 3-3. Intelligence Community Observations 

• The physical attributes of conventional and nuclear forces can be observed and 
quantified. The alert posture and movement of forces provided indications of potential 
threat. Our understanding of such patterns gained from long experience in observing 
known adversaries, the orders of battle stored in our databases, and the related analytic 
skills were well suited for understanding historic threats and from such insights we 
derived “intent.” These skills are largely irrelevant in the information warfare 
environment. 

• Now, key technologies designed for completely innocent applications can be used as 
weapons. For example, software used to test systems can also be used to penetrate 

systems. 

• The technology required for information warfare is available everywhere. 

• However the “business” or “war” processes that must be penetrated to determine 
capabilities and intent are relatively complex, which means that human intelligence and 
counter-intelligence will continue to play a vital role. It is not easy to identify sources of 
attacks, intent, etc. in the information age. 

• Finally, the technical skills required by our intelligence collectors and analysts in order to 
deal with these new challenges are much broader and deeper and more sophisticated than 
those required in the past. The intelligence community will require more personnel with 
advanced scientific degrees and a deep technical understanding of process, computer, and 
network design and of leading-edge technologies to meet the challenge adequately. 
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present, this taxonomy would n0 ‘ sc ^’" a “ . which Z attacks could be mounted against 

:;"r«eS"^e time periods^ derivation of the taxonomy is disused in 
Appendix C, A Taxonomy for Information Warfare . 

However, by adopting concepts use in threat alerting and for 

Panels of the Task Force, we specific information dependent 

7 We lack a common vocabulary 

_ Task Force could not find or derive a useful |W *axo n °my 
. Scale, time factors, sequence of attacks, ~ n -'; nea ^ tt ^ 

Task Force proposes a standard vocabulary for IW-D read.ness 
assessmentand reporting and for threat warning 

* Resources are focused on classified content and systems 

. It is easy to make the IW-D problem too hard 

- Focus too broadly (GII/NII versus Dll) or narrowly (definitions, ega 

. Focus on solving political or social problems before addressing IW-D 

. Acquisition policy and practices pose dilemmas 

- Current practices trade off security 

. Functionality, performance, number of systems 

- Policy is clear . 

. DoDD 5000.1 and DoDD S000.2-R emphasize IW | 


Exhibit 3-4. Additional Observations 


The reality of limited ^ "1 
functionality, performance, and numbers o y tes clearly state the need for attention 

expense of security. On a positive note, rec p J P example DoDD 5000.1 indicates 
to the information warfare aspects of syste security procedures and practices will be 
that acquisition programs should con ^^ to eff ^ ts of information warfare. The 

implemented and how the system will 5* Task force was disappointed to 
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Bottom lino— policy exists, it is not yet nnifotmly implemented or enforced, and it requires 
resources in implementation. 

Fxhihit 3 5 suggests that infrastructure resilience has been demonstrated repeatedly during 

mmmmrn§ 

aided the propagation of the worm. 

Cascading effects have occurred, are difficult to predict 

- Infrastructure robustness untested 

_ infrastructure recovery uncertain 

Area and perimeter defenses are not sufficient! 

- Resiliency and repairability are critical to information survivability 
_ information domains are essential 

- Scale of IW-D for a distributed computing environment not wen 
understood 

Easy technical solutions are not apparent 

Exhibit 3-5. Additional Observations 
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•*•*** which might result from 
cascading effects and which win endow -ffeetivelv employ area and perimeter 

. a*. 

information warfare (defense) capability. 

The Task Force does not want to imply that the various actions taken over *'y e ^y‘he 
. community do not have roles in IW defense. INFOSE 

W— warfare defense capacity. Unfortunately, 

to many, INFOSEC has become shorthand for protecting the confidentiality of information. 
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ExhibitS-6. Additional Observations 
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sector to achieve desired assurance goals, and some incentives (such as revisions to the tax 
structure). 

DoD role in national information security questioned 
Market forces alone will not solve the problem 

- Need legislation, regulation, indemnification, incentives, altruism 
The “seams” (and information sharing) are critical 

- Offense - Defense 

- Government - Industry 


Commerce 

Multinational 
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U.S. industry 
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Solutions will have to address national and regional 
challenges, not fust local 

- Federal Response Plan model 

Local processes, procedures and mechanisms must . 

- Be distributed across geography, organizations, and logical and 
political boundaries, yet be tailored to the needs of affinity groups 

„ Not be under or depend on centralized controj 


Exhibit 3-7. Additional Observations 


The seams are critical. Currently, information necessary for an effective information warfare 
(defense) capability is not shared effectively across the seams. Information warfare (offense) is 
highly compartmented in spite of the fact that it shares common technology and operating 
environment with the information warfare (defense) community. In some cases, the military, law 
enforcement and intelligence communities are restricted by law, executive order, or regulation 
from sharing certain information. Historically, these communities are notoriously bad at sharing 
information. There are very few mechanisms for government and industry to share sensitive 
information such as vulnerabilities and intrusions. This lack derives primarily from the 
competitive sensitivity of information that is required for an effective information warfare 

(defense) capability. 

In addition, at the national level, there are competing equities at stake in nearly every information 
warfare issue. Not only do these interests compete among each other, there are competitive 
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SECTION 4 


WHAT SHOULD WE DEFEND? 


Determination of what to defend should follow from our nation’s vital interests as documented in 
the current national security strategy. On the basis of these interests, the Task Force postulated 
the goals shown in Exhibit 4-1 . Given the available time, it was not possible for the Task Force 
to address each of these goals in detail. However, the Task Force did develop a set of national- 
level defensive information warfare interests based on these goals. 


Vital interests (A national Security Str a tegy, ot Engagement SPsL Enlargement, 
The White House, February 1996) 

- Enhance our security with military forces that are ready to fight and with effective 
representation abroad 

- Bolster America’s economic revitalization 

- Promote democracy abroad 

Goals 

- Stable monetary, financial and banking systems which enjoy public confidence 

- Free trade . 

- Continuity of government and constitutional authonty 

- Personal privacy 

- Ability to deploy, employ and support military forces 

- Protected intellectual property . ... 

- Venue for resolution of policy issues among government, individuals and the 

private sector 

- Availability of emergency services for any emergency, natural or man-made 

- National standards for “reasonable" protection regimes for public and private 

networks . . , . . _ n 

- Stimulate research, development and application of technologies for IW-D 


Exhibit 4-1. National Goals For Information Warfare (Defense) 


Exhibit 4-2 indicates the national interests that must be defended. The emphasis is on defending 
critical functions and processes, not on defending forces, platforms, or geography. As was the 
case in developing an ensured means of control for the strategic nuclear deterrent, some critical 
information infrastructure capabilities must be isolated from the interconnected national and 
global information infrastructure to ensure it is available to support and manage the restoration ot 

critical functions. 
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SECTION 5 


HOW SHOULD WE DEFEND? 


5.1 PROCEDURES, PROCESSES AND MECHANISMS 

Exhibit 5-1 depicts the essential procedures, processes, and mechanisms for IW-D. They are 
based on the defensive information warfare implementation model developed by the Information 
Assurance Division of the Joint Staff J6. An essential step in preparing an information warfare 
defense is the identification of critical national information functions and the information, 
information services, and infrastructures upon which these functions depend. 



Exhibit 5-1. Procedures, Processes, and Mechanisms 

The first order of business is to deter information warfare attacks. This deterrence must include a 
national will as expressed in law and conduct, a declaratory policy on consequences of an 
information warfare attack against the United States, and an indication of the resiliency of the 
information infrastructure to survive an attack. 

The most immediate need is to provide some form of protection. This protection might include 
physically isolating information, providing some form of access control and authentication of 
personnel performing critical functions or accessing information, or encryption of the 
information As time permits, the information infrastructure supporting critical functions should 
be designed for utility, resiliency, repairability, and security. An equally important function is to 
verify through independent assessments that the design is being followed, that protective 
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Protect information commensurate with its intended use. In certain circumstances, 
unclassified but sensitive information (weather and terrain data) may have more tactical 
significance than classified information (e.g., outdated intelligence estimates). 


Integrate policy, technical, operational, and personnel aspects. Each of these aspects is 
treated separately for the various communications, information, and security disciplines. 
They must be integrated for both efficiency and effectiveness. 

Use Service/Agency core competencies. All ongoing relevant activities must be reviewed 
to preclude reinventing the wheel. 


Build on current programs and initiatives. Use the ongoing information security activities 
and programs and those of related security disciplines as the foundation for achieving an 

IW-D capability. 


Emphasize solutions to the traditional weak link— the person. Nearly all espionage 
convictions are based on an inside threat. fW-D activities must address this issue head 


on. 


Harmonize IW-D, OIW, INFOSEC, and intelligence support functions. These closely 
related functions are based on many common technologies and processes and must 
mutually supporting. 


Harmonize activities to protect the Nil, the GII, and the DU. Work toward a consistent 
approach and economies of scale in protecting these highly interconnected mfrastructures. 

Conduct vigorous interagency coordination. The rapidly evolving and highly complex 
DU requires proactive measures to preclude duplication of effort and contradictory goals. 


SECTION 6 


RECOMMENDATIONS 


The key recommendations are those which can be implemented by the Secretary of Defense. 

Other recommendations are included which the SECDEF should make to the Director of Central 
Intelligence, and those which relate to the President’s Commission on Critical Infrastructure 
Protection or the Infrastructure Protection Task Force. 

6.1 DESIGNATE AN ACCOUNTABLE IW FOCAL POINT 

This is the most important recommendation the Task Force has to offer. Multiple lead 
organizations with no clear principal staff assistant have led to confusion and slow progress to 
date. Boards and councils are important for discussing the issues, but have not and cannot 
provide the needed focus. Although many of the tools used to carry out information warfare have 
been around for a long time, the nature of information-dominated societies and activities makes it 
appropriate to view information warfare as a new warfare area. Information warfare is not the 
sole responsibility of the Chief Information Officer, the Assistant Secretary of Defense for C3I, 
the Director of Central Intelligence, the Chairman of the Joint Chiefs of Staff, the Secretaries of 
the Military Departments, or the Service Chiefs. Each of these is, however, responsible for a 
portion of this new warfare area. The Secretary of Defense, however, needs a single person and 
office to plan and coordinate this complex activity, as well as to serve as a single focal point 
charged to provide staff supervision of the complex activities and interrelationships involved. 
This includes oversight of both offensive and defensive information warfare planning, 
technology development, and resources. Given the interconnected nature of the information 
infrastructures, it is critical that the left hand knows what the right hand is doing and that these 
complex activities are coordinated. 

This single focal point should be required to report regularly on the state of the areas shown and 
provide the informed interaction to other interagency and intergovernmental IW-related activities 

as shown in Exhibit 6- 1 . 
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• Confusion and slow progress to date 

• Boards and councils have not provided a focus 

• Information warfare is a new warfare area 

- It is not Intel, C2, CIO 

• Charge focal point to “pull it all together’’ 

- Staff supervision of both offensive and defensive IW 

- Promulgate integrated policy 

— Ensure development of information warfare theory, doctrine and practice 

- Assess and report regularly to the SECDEF/DEPSECDEF on 

• Policy and plans 

• Preparedness 

• Intelligence support 

• Allocation of resources to IW 

- Interface to interagency/intergovemmental activities 
Action: 

- Designate ASD(C3I) as the accountable focal point for all IW issues 

• Develop a plan and associated budget beginning in FY 97 to obtain needed IW-D 
capability 

• Report annually to the SECDEF on IW status 

• Authorize issuing of instructions 

• Long view suggests USD(lnformation) 

- Establish a DASD(IW) and supporting staff (ASD(C3I) lead) 

« Bring together as many functions as possible 


Exhibit 6-1. Designate an Accountable IW Focal Point 


The Task Force recommends that the Secretary of Defense designate a focal point for the 
coordination of information warfare. While the focal point could be any of the existing Under 
Secretaries or Assistant Secretaries, the Task Force recommends that the focal point be the 
Assistant Secretary of Defense for C3I. The first order of business for the focal point should be 
to develop a plan of action to obtain the needed capabilities. The focal point should also report 
the Department’s IW status annually to the SECDEF. The focal point should be given authority 
to issue instructions. The long view suggests the eventual need for an Under Secretary of 
Defense for Information. While the Task Force does not make such a recommendation at this 
time, there was strong sentiment within the Task Force in support of organizing for the long 
view. The Task Force also recommends that a Deputy Assistant Secretary reporting to the 
ASD(C3I) be named and provided an adequate supporting staff to assist in providing the 
necessary staff oversight and coordination of information warfare activities. The Task Force 
hope is that as many IW-related functions as possible would be consolidated under this 
individual. 
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6.2 ORGANIZE FOR IW-D 

Before discussing specific organizational recommendations, this section briefly discusses what 
the Task Force views as necessary capabilities for IW-D. Exhibit 6-2 shows the capabilities the 
Task Force determined are necessary for an effective information warfare (defense) and which 
are not adequately addressed in the Defense Department’s current information warfare (defense) 

planning. 

1. Intelligence indications and warning, current 
intelligence and threat assessment 

2. Operations (911) 

3. Planning and coordination (411+) 

4. System, network and infrastructure design 

5. Independent assessments 


Exhibit 6-2. Organize for IW-D 

Section 3, Observations, addressed the need for intelligence indications and warnings, current 
intelligence, and threat assessment. A specific recommendation which addresses the needed 
improvements in intelligence support to information warfare (defense) follows. 

“Operations” as used in Exhibit 6-2 is shorthand for those time-sensitive activities necessary for 
dealing with an actual intrusion or attack. While not fully analogous, the Task Force sometimes 
refers to these capabilities as 91 1 or emergency response capabilities. Remember that these 
operations capabilities must be distributed throughout the Department— down through the 
Military Departments and Services and the Defense Agencies and through the CINCs to the 

operating forces. 

“Planning and coordination” is shorthand for preparedness activities. The Task Force has taken 
to referring to these capabilities as enhanced 41 1 or 41 1+ capabilities. Once again, the analogy is 
not completely accurate since it does not convey what will certainly be a broader interactive 
capability, but it does help to make quick associations with intended capabilities. 

One of the more critical needs is a continued capability to obtain an independent assessment of 
our information warfare (defense) posture. While these assessments can be earned out at any 
level, it is felt that there should be a capability established which is accountable directly to the 
SECDEF/DEPSECDEF. In addition, the organization established to provide this capability 
should be staffed with people who are knowledgeable of all types of threats and of both the DoD 
and private sector environments. 
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6.2.1 Establish a Center For Intelligence Indications and Warning, Current Intelligence, 
and Threat Assessments 

Current intelligence resources and processes are not optimized to provide an understanding of 
threats and potential adversary capabilities to conduct Information Warfare; nor are they 
presently capable of providing either Indications and Warning or Attack Assessment of 
Information Warfare. An understanding of the IW process and indications of an IW attack will 
most probably require an unusual amalgamation of otherwise seemingly unrelated sets of data. 
The lack of previously identified and validated indicators for IW creates several additional 
difficult dimensions to the problem facing the Intelligence and Defense communities’ efforts to 
understand all aspects of IW. 

The United States has, over nearly four decades, identified many sets of data comprising 
indicators of activities by potential adversaries (communist-bloc). These indicators have 
provided the foundation of our intelligence assessment and indications and warning processes. 
Examples of these include known and understood development processes and cycles for military 
equipment’s ranging from ICBMs to submarines to bomber aircraft. Thus, if we observed earth 
spoil on overhead imagery indicating a possible new heavy ICBM silo was under construction, 
we could adjust our threat understanding accordingly. Similarly, we might observe Soviet 
Missile Range Instrumentation Ships moving toward areas of the Pacific Ocean known (from 
prior observations) to be used by Russia as an impact area for ICBM tests; and we would 
conclude that a missile test was in the offing. Or, if a Mediterranean nation began to import 
chemicals which could be used either in fertilizer or in chemical agents for war; we could be on 
the alert for other indications of chemical gas production such as special buildings, storage 
facilities or personalities known to possess technical knowledge necessary to produce chemical 
weapons. 

In a more operational vein, over time, we began to understand communist-bloc strategy, doctrine, 
and tactics as well. All of this knowledge was gained from a series of observations over several 
years. We were able to use this knowledge as we planned for combat and designed and executed 
wargames. Over four decades, with the expenditure of billions of dollars for collection, analysis, 
and reporting systems were optimized to deal with these known, discrete indications of activity. 
These “known indicators” permitted us to conduct intelligence assessments. Indications and 
Warning, and in some cases, attack assessments. 

There were several factors involved in our gathering these data sets. The first is that we (and 
others) have made enough similar observations to establish “patterns of activity.” Secondly, 
these observations have either caused us, or permitted us, to identify a number of discrete 
activities that we conclude are indicative of the “entire pattern,” or significant segments of the 
pattern. Thirdly, having noted one or more of the discrete indicators, we know what other 
indicators to look for to corroborate our suspicions. ■ 

Information Warfare is a whole new game from the Intelligence dimension. We have precious 
few real data from which to derive “patterns of activity.” This is made all the more difficult 
because so many of the “indicators” we have used in the past have involved some physical 
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phenomena. In IW, at least in the computer and networked components of it, evidence of IW is 
fleeting at best and is usually not physically observable. The Intelligence Community is working 
hard to address some of these issues; but progress is hampered by organizations, processes, and 
systems optimized for situations found in the past, not the future. Evidence of IW preparations 
or attacks is most likely to come from a wide variety of sources and venues: from the more than 
50 Computer Emergency Response Teams (CERT) around the world, from nodes of different 
segments of our National Information Infrastructure, from academia, from the Internet, from law 
enforcement agencies, from FEMA, and of course from traditional Intelligence Community 
resources such as human, signals, and open source intelligence. The Defense Science Board 
believes that some new approaches to collection and analysis are urgently needed. 

The intelligence community understands as well as any that they face a tremendous challenge in 
developing information-age intelligence support activities. Some of the Task Force observations 
regarding these challenges were discussed earlier in the report and are shown in Exhibit 6-2-1. It 
is no easy matter to pinpoint the requirements, identify observables, establish patterns and 
indicators of the patterns, identify sources of the indicators, or determine how the sources will be 
exploited to collected information necessary to develop the indicators. 


• Functions 

- Identify requirements, observables, patterns, indicators, sources, 
collection methods 

- Develop analysis techniques, data bases, threats 

Action: SECDEF formally request the DCI : 

- Establish an l&W/TA center at NSA with CIA and DIA support 

- Task and resource the intel community to develop the processes for 
Current Intelligence, l&W/TA for IW-D 

- Encourage the intel community to develop information-age trade craft, staff 
with the right skills, and train for the information age. 

- Conduct comprehensive case studies of U.S. offensive programs and a 
former foreign program to identify potential indicators - collection, funding, 
training, etc. 

- Establish an organization to examine and analyze probable causes of all 
security breaches 

• Goal is to identify improved and cost effective security practices 

• Must have full access to all pertinent information and people, procedures, 
facilities (all sources) 

• Findings will not be used for administrative or legal action 

- Develop and implement an integrated National Intelligence Exploitation 
Architecture to support the organization and processes 

Action: SECDEF 

- Direct development of IW Essential Elements of Information (EEI) 

(ASD(C3I) lead) 

Exhibit 6-2-1. Establish a Center for Intelligence Indications and Warning, 
Current Intelligence, and Threat Assessments 
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The recommendation to establish the center at NSA recognizes their role in electronic 
intelligence and is meant to build upon recent organizational efforts at NSA. However, NSA 
must be augmented by DIA and CIA personnel because of the extensive social engineering 
component of information warfare. The Task Force believes it is essential to keep separate the 
intelligence and operations functions. The reason for the separation is that these functions are 
different. The intelligence community focuses on strategic warning and the operations 
community focuses on continuity of service and the warning and response to immediate danger. 

The Task Force believes the recommendations in Exhibit 6-2-1 are key to improving the 
intelligence support to defensive information warfare. While there has been some activity in 
these areas, the whole process needs a significant jump start. In addition, representatives from 
the intelligence community pointed to the lack of Essential Elements of Information (EEIs) from 
the operational community as a contributing factor to the intelligence challenge. This should not 
be an inhibitor to progress. 

There may, in fact, be a need to form a National Center for Indications and Warning. This center 
would gather and analyze monitoring data continuously. The data would be derived from 
commercial infrastructure systems as well as government. The center could be charged with 
searching for and detecting early signs and precursors of a wide scale, coordinated attack and 
with providing warnings to U.S. government and private sector organizations. Toward that end, 
a phased approach would be appropriate, beginning with a DoD-specific organization which is 
scalable and extensible, and evolving towards a pan-govemment and private sector organization. 
Roles of the organization should include gathering and analyzing of voluntarily contributed data, 
disseminating of Endings, and acting as a clearing house to coordinate feedback and responses 
from the community. 

6.2.2 Establish a Center for IW-D Operations 

The basic required defensive information warfare operations functional capabilities are shown in 
Exhibit 6-2-2. The terms tactical warning and attack assessment are familiar to the strategic 
nuclear forces. They fit in the information warfare context consistent with the definitions in Joint 
Pub 1-02, Dictionary of Military Terms. Providing these capabilities in the information-age 
context, however, is very different than the nuclear era. Emergency response and infrastructure 
restoration are self-explanatory. 



• Functions 

- Tactical warning (monitor, detect, report) 

- Attack assessment (analyze, organize defenses) 

- Emergency response (control damage, reallocate infrastructure assets) 

- Infrastructure restoration 

• Support CJCS initiative to establish 

- Military IW operations center (J3 cell, Joint Information Warfare Center) 

• Support IW aspects of deliberate planning, exercises, and operations 

• Serve as time-sensitive IW point of contact for CINCs ( 911 ) 

• Serve as IW information source and clearinghouse for CINCs and 
operations forces 

• Provide operational liaison with counterpart federal, state and local 
agencies on matters of immediate relevance to current military operations 
or exercises 

- CINC IW cells 

• Support planning for and conduct of CINC IW activities 
Action (ASD(C3I) lead with CJCS support): 

- Establish a DoD IW-D operations center ( 911) at DISA with NCS, NSA, 
and DIA support. 

- Develop/implement distributed tactical warning, attack assessment, 
emergency response, and infrastructure restoration procedures 

• Incorporate national guard, reserves, mobilization augmentees, contractor 
support 

• Mandate reporting of all suspected intrusions and computer incidents 
affecting DoO systems and networks 

- Interface with Service and Agency capabilities and l&W/TA support 

- Establish necessary liaison (e.g., military and government operations 
centers, service providers, intelligence agencies, computer emergency 
response centers) 


Exhibit 6-2-2. Establish a Center for IW-D Operations 

The Chairman has already undertaken an effort to establish a military operations center and has 
instructed the CINCs to establish IW cells within their staffs. The military operations center will 
consist of two elements. First, a small cell will be established in the J3 and will be staffed during 
normal duty hours. During crises, the J3 cell will have specific authorities over the second 
element, the Joint Information Warfare Center. The Joint Information Warfare Center will be 
staffed 7 days a week, 24 hours a day, and will serve as the interface to organizations such as the 
CINC IW cells, the Joint Spectrum Center, the Joint Warfare Analysis Center, the Joint 
Command and Control Warfare Center, and the Service IW organizations. 

The distinction to be made between the military IW center and the defensive information warfare 
operations center is that the military center will focus on military operations of a time-sensitive 
nature. The defensive information warfare center will be focused on the Defense Information 
Infrastructure and other critical infrastructures as appropriate. 

While the Task Force recommends that the center be established at DISA, current technology 
certainly provides for establishing a virtual center. This virtual center would draw on support 
from geographically dispersed elements. Initial staffing should come from existing assets. As 





suggested earlier, this operations capability must be distributed down and throughout the 
Department, linking, for the most part, existing operations centers, emergency response teams 
and so on. The Task Force envisions eventual links to other government centers including any 
that may result from the actions of the Infrastructure Protection Task Force recently created by 
Executive Order 13010. 

Establishing the center is relatively easy. Developing and implementing the process and 
procedures to be used will be much more difficult; there has been almost no effort devoted to this 
area. One suggestion the Task Force makes is that eventual staffing and procedures take 
advantage of technical expertise available in the national guard, the reserves, mobilization 
augmentees, and contractors. Mandatory reporting sounds easy but may be difficult to 
implement because of a basic fear by those reporting that they will be held accountable for the 
intrusion or incident and that they will have to pay to fix the problem. Mandatory reporting may 
have to be accompanied with some form of inducements such as a “fix it free” offer. It will also 
be necessary to distribute these capabilities throughout the Department and establish an 
information channel with the indications and waming/threat assessment center for sharing of 
information essential to the performance of each center’s mission. 

If national-level centers for infrastructure protection are established as a result of the 
recommendations of the President’s Commission on Critical Infrastructure Protection, then the 
Department should ensure appropriate interfaces are established between DoD functions and 
these centers. 

The tentacles of this Operations Center should be virtually extended to every organization in 
DoD, ranging in scope from a single person serving as point of contact for the organization to 
having an emergency response cell located with the organization. 

DIS A should establish a threshold of information event that requires reporting to the Operations 
Center Every information event reaching that threshold must be reported and penalties 
established to enforce that reporting. DIS A should maintain a knowledge base of that reporting 
and ensure all response personnel are appropriately trained and informed. 

6.23 Establish a Center for IW-D Planning and Coordination 

The role of the planning and coordination center, shown in Exhibit 6-2-3, will be to support the 
ASD(C3I) in fulfilling his responsibilities as the focal point and to facilitate the sharing of 
sensitive information within the Department, among the Federal departments and agencies, and 
with the private sector. 



- Functions 

- Develop IW planning framework 

- Assess 

• IW policy and plans 

• IW preparedness 

• Intelligence support 

• Allocation of resources to IW 

• IW incident reports 

- Develop procedures and metrics for assessing infrastructure and 

information dependencies ...... 

_ Facilitate sharing of sensitive information (e.g. threats, vulnerabilities, 
fixes, tools, techniques) within DoD and among government agencies, 
the private sector service providers and professional associations. 

Action (ASD(C3i) lead): 

- Establish an IW-D planning and coordination center (41 1+) sporting t0 
the ASDIC3I) with interfaces to the intelligence community, the Joi 
Staff, the law enforcement community, and the operations (911) center^ 


Exhibit 6-2-3. Establish a Center for IW-D Planning and Coordination 


One of the first activities of the planning and coordination center should be to establl * b a 
nlannins framework which can provide for meaningful assessments of progress in information 
warfare preparedness This center will not write plans for the CINCs, Services, and De ense 
Agencies, but will identify the need and means for integrating information warfare considerations 

into traditional planning activities. 

The center will aid the focal point in assessing the treatment and implications of information 
plans, operations, and the allocation of resources to InformtUton warfare^ 

The centerwill Ilso analyze and assess IW-related incident reports generated by the Services and 
Agencies and forwarded to the 91 1 operations center. The assessment will determ, ne patterns of 
activity that might indicate the need to revise plans or resource allocations. 

Since there is no established method for assessing the dependency of operations plans and DoD 
support activities on information and infrastructures, the center will need to develop ' ^ 
nrocedures and metrics for such assessments. The military operations community and the 
functional support community will perform the assessments. These infrastructure dependency 
assessments will be discussed in more detail later in this report. 

Sharing of sensitive information is probably one of the most important first steps in buil ^S a 
defensive information warfare capability. There are significant legal, regu atory, competitive and 
emotional hurdles to overcome; these must be addressed as soon as possible. 

6.2.4 Establish a Joint Office for System, Network and Infrastructure Design 

It is not necessary to break the cryptographic protection to attack our classified [computing 
environments The protection paradigm used by DoD is based upon the classification of 
information However, most classified computer systems contain, and often rely on, unclassified 
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information. This unclassified information Often Ms little or no protection of the data integrity 
prior to entry into classified systems. The expected interaction between GCCS and GTN are 
examples of this. An increasing number of DoD systems contain decision aids and other event- 
driven modules. These should be buffered from unclassified data whose integrity cannot be 
verified. 

Second-, third-, and “n” -order effects from an information warfare attack have not been 
observed and are not well understood. Further, good data are not available with which to 
conduct modeling and simulation of such effects. Data must be collected to support the 
modeling and simulation of the effects of specific information warfare attacks and defenses. 
Detailed data should be gathered through several means: 

• Measure the specific local effects of a standard battery of attacks on common components 
such as operating systems, firewalls, routers, etc. Experiments should be conducted using 
various configurations and settings of the components and attack variations for as 
complete a picture as possible. 

• Measure the effects and possible consequences for a standard battery of attacks against 
many common configurations of generic networked systems. The technologies and 
configurations selected for these experiments should be common to a large percentage of 
the DII and Nil, including telecommunications, power, and control systems. Again the 
attacks should be carried out in multiple variations against multiple target system types 
and configurations, with various types of defenses, to obtain accurate data on the 
measurable effects of attacks in all these circumstances. 

• Measure the effects and possibly consequences for a battery of attacks, that could include 
application-specific attacks, on stereotypical defense systems. Measure the effects on 
mission effectiveness. 

To achieve the goal of protecting information systems from future IW attacks, a comprehensive, 
principled approach for architecture, design, and analysis of secure, survivable distributed 
information systems must be developed. These new principles and approaches should build 
upon, and be synthesized from, existing and emerging information system engineering principles 
based on work in fault-tolerant systems, trusted systems, and secure distributed systems. The 
principles must be promulgated as guidelines so that they will be widely applied. 

There is a need to create a broader theoretical underpinning for understanding, design, and 
analysis of the security and survivability of information systems. Theoretical tools available 
today usually treat specialized aspects of information security. Early information-theoretic work 
in the 1950s and 1960, work in the 1980s on trapdoor functions, and recent work on Byzantine 
robust networks may form some basis for development of a broader theory. New theories should 
be developed for robust systems. These theories need to include models both for attacks on 
systems and for survivability defense strategies. Robust system theory should include formal 
methods that apply to large-scale, distributed, heterogeneous systems. Analysis techniques 
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should include methods for predicting and analyzing Red/Blue conflicts by, for example, 
extension/application of game theory and other relevant approaches. 

Since the cost of highly secure network subsystems will be very high, the architect should 
assume that the defense network will traverse commercial infrastructures, and that the underlying 
substrate will be inherently insecure. The network architecture thus must ensure successful 
transmissions in the presence of failed, faulty, and spoofed network components. For example, 
spatial transmission diversity is an existing proof that reliability can improve with intelligent use 
of the network. Since the future global network will include subnets of varying robustness, it is 
suggested that a separable entity be established as an overall net security management system. 

The overall network security manager would be responsible for architectural add-ons (such as 
wrappers) for each subnet, to provide survivable, secure service over the entire net of nets. 

For survivable systems, security is required at multiple levels, including applications, 
middleware, operating systems, and networks. New architectural approaches must enable the 
accommodation of legacy and COTS subsystems, perhaps via wrappers, into an overall adaptive 
system-of-systems architecture. This architecture must be designed to reallocate critical tasks 
dynamically to subsystems which have survived the attack. The security/survivability 
management of the system should be integrated into the overall system management framework, 
in terms of both the automated and the human components of the system management structure. 

In order to test the effectiveness of the survivable system architecture, principles, and theory, it is 
essential to conduct experiments and demonstrations. It is recommended that such experiments 
and system demonstrations be conducted in existing and emerging system testbeds and networks, 
building on both experimental nets and the emerging DII and Nil. 

There are substantial differences between designing a typical information system and designing a 
resilient information infrastructure capable of enduring in the face of intentional disruptions. 
Information system design is typically based on efficiency; a resilient information infrastructure 
design must be based, instead, on effectiveness. Control must be decentralized and portions must 
operate independently of the infrastructure. For example, fault-tolerant computing introduces 
redundancy into otherwise efficient systems in order to make them more effective, particularly 
against random disruptions. Similarly, the design of a resilient infrastructure will ensure 
diversity of hardware and software so that a common failure mode will not result in an 
infrastructure failure. Investing in a proper design up front saves money in the long run and 
negates the very real possibility of introducing vulnerabilities by attempting to retro-fit security. 

The goal is to design for utility, resiliency, repairability, and security, as shown in Exhibit 6-2-4. 
Presently, there is no significant body of knowledge on infrastructure design. It will have to be 
developed based on the existing design skills for fault-tolerant computing, resiliency, reliability, 
and so on. This body of knowledge will expand through on the results of the research currently 
under way and planned for large distributed networks and survivable systems. This growing 
body of knowledge will be used to develop and promulgate policies, architectures, and standards 
which enhance the utility, resiliency, repairability and security of the infrastructure. The 
collection of these policies, architectures, and standards will constitute the infrastructure design. 
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• Functions 

- Develop and promulgate policies, architectures, standards 

- Design for utility, resiliency, repairability and security 

• No one event/attack should be able to do the system in 

• Perimeter defense not sufficient 

• Classified systems vulnerable to attack from unclassified data sources 

• Back-up repositories of data must be implemented and regularly updated 

• Diversity should be a key aspect of design 

- Develop and implement configuration management process 

- Conduct independent verification of design and procurement 
specifications 

Action (ASD(C3l) lead); 

- Establish a joint security architecture/design office within DISA to 
design the infrastructure in accordance with the above principles to 
shape the design of the DoD information infrastructure 

— Establish a process to independently verify and enforce adherence to 
these design principles 


Exhibit 6-2-4. Establish a Joint Office for System, Network 
and Infrastructure Design 


The infrastructure design should be verified independently periodically to ensure that the design 
meets the goals of utility, resiliency, repairability, and security. The Task Force suggests using 
NSTAC, NCS, and similar resources to aid in this activity. 

The infrastructure design should also be used to verify that goals of utility, resiliency, 
repairability, and security are reflected in the specifications for development of new systems and 
for purchase of services from the other government agencies and the private sector. 

The Task Force recommends the establishment of a joint architecture/design office in DISA to 
develop and promulgate throughout the Department the needed design policies, architectures, 
standards, and configuration management process. This office should include the current 
architecture and design activities of DISA, but should also be focused on infrastructure design 
and the incorporation of security up front in the architecture and engineering process. The Task 
Force also recommends that a process be developed to verify compliance with the design 
independently. 

6.2.5 Establish a Red Team for Independent Assessments 

Teaming is an essential component of the IW-D strategy and technology development 
process. We recommend that the concept be extended to include vulnerability analyses as well as 
carefully planned attacks during experimental activities in controlled testbeds and during 
training/planning exercises. The Red Team exercises should be conducted under proper rules of 
engagement to avoid unnecessary damage or disruption to information systems. 
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Emphasis should be given to developing new attack methodologies m addition to reusing and 
applying of current attacker techniques. For example, attacks should be designed which exploit 
the system’s survivability features. A sophisticated attacker would probably know about these 
features. In formulating these attack strategies, models should first be developed for sys em 
vulnerability and its likely defenses, and these models should be exploited in the attack 
strategies. Vulnerability analyses and Red Team attacks should be conducted at the application 
and system level, as well as at the subsystem level, with the goal of uncovering how operations 
can be perturbed (e.g., the planning and execution of an air tasking order or the deployment of 
sensors and communication assets), and how supporting communication links, or specific 
computers and network nodes, can be compromised. 

The need for independent assessments is suggested in the notion that “you can only expect what 
you inspect.” Many activities throughout the Department are in the process of forming Red 
Teams for the purpose of conducting vulnerability analyses, training readiness ^sessments and 
so on. The Task Force endorses these efforts, particularly in light of previous DSB Task Force 
recommendations. However, what the current Task Force is recommending is the 
“SECDEF/DEPSECDEF s Own” — a team whose central role is providing the 
SECDEF/DEPSECDEF with unbiased assessments on the Department’s IW * state of he 

As shown at the bottom of Exhibit 6-2-5, the Task Force recommends that a Red Team be 
established to perform these independent assessments. Two P^ v ‘ ous ^ nS ^ n “ 

Studies have made a similar recommendation to establish such a Red Team. 

Force was unable to agree on whether the new organization should be a standalone organization 
or housed toan existing organization, there was unanimity on thu fact that - = e 
significant management attention and, although reporting through the ASD(C3I), be accountable 

to the DEPSECDEF for its activities. 


• Functions 

- Acquisition - assess vulnerabilities 

• Existing and planned DoD systems and networks 

• Include products and services provided to DoD by private sector 
_ Operations — conduct “IW-like” attacks 

• Verify readiness posture and preparedness 

• Assess physical, cyber, and people aspects 

- Spectrum of attacks 

• Facilities, networks and systems, and people 

• Hardware, software, databases, systems, networks, communications 

• Deception, corruption, exploitation, denial 

Action (ASD(C3l) lead): 

- Establish a Red Team . 

• Accountable to SECDEF/DEPSECDEF, independent of design, 
acquisition, operations 

. Red Team recommended by 1994 and 1995 DSB Summer Studies 

• Important management considerations 

— Tight leash and significant management attention 

- Integrated product team 

- Develop proc edures for employment of the Red Team 

Exhibit 6-2-5. Establish a Red Team for Independent Assessments 
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Developing and maintaining an independent assessment capability is very important because of 
the traditional resistance to self-assessment and potential embarrassment. However, it is 
essential that the Department evaluate its IW preparedness and not wait to learn of any major 
shortfalls because of the actions of an adversary. This Red Team should have a small permanent 
cadre for management and technical continuity and should be staffed by civilian personnel and 
military personnel on a rotating joint duty basis. 

The organizational recommendations made by the Task Force are shown graphically in Exhibit 
6-2-6. While it was obvious to the Task Force that similar information warfare (defense) 
capabilities and organizations must be established at the national level, the Task Force decided 
not to make specific recommendations about where these organizations should be established or 
to whom they should report. Instead, the Task Force recommends this be left to the President’s 
Commission. However, it should be pointed out that there is a real need for extensive 
coordination and information sharing between government (Federal, state, and local) and the 
private sector. 



Exhibit 6-2-6. Organizational Recommendation - DoD Aspects 

Exhibit 6-2-7 also shows the organizational recommendations made by the Task Force but 
emphasizes the functional aspects. The defensive information warfare process, procedures and 
mechanisms diagram discussed earlier in the report is shown in the middle of the Exhibit and the 
process has been divided by the gray line into preparedness functions and operations functions. 
The recommended organizations are arrayed in the Exhibit so as to relate their functions (shown 
near the ovals) to the entire defensive information warfare process. 
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Exhibit 6-2-7. Organizational Recommendations - Functional Aspects 


63 INCREASE AWARENESS 

An important and cost effective first line of information warfare defense is a user and operations 
community that is aware of potential threats and is well trained in protection, detection, and 
reaction tactics, techniques and procedures. A well-trained and educated cadre of security and 
automated information system professionals can provide an effective second line of defense. The 
Services and Agencies (NSA in particular) have long provided INFOSEC training. Traditional 
DoD security awareness and training, however, has emphasized the security of classified national 
security information and information systems processing classified national s ecu n^ ^formation. 
DoD components are currently implementing awareness, training, and education (ATE) program 
to focus oiuiew threats to both unclassified and classified networks. Working groups have been 
established to help coordinate efforts between components. There is a need, however for a 
DoD-level forum with the authority to reduce duplication and implement consolidated training 
responsibilities. This forum must take advantage of core competencies to ensure a 
comprehensive, cost-effective program. 

Current modeling and simulation efforts do not adequately address issues that can be expected to 
arise in an information warfare attack environment. For example, little or no consideration is 
given to the tactical impact of compromised or exploited computing and networking ^sources, 
beyond perhaps the classical effects of jamming or ESM techniques as applied to the battlefield 

communications infrastructure. 
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A fundamental shortcoming of traditional wargame-oriented simulations is the failure to predict 
changes in battlefield behavior resulting from the dynamic interplay of people with new 
weapons, sensors, tactics, etc. This is mainly due to deeply embedded, built-in assumptions of 
human tactical behavior. The introduction of a new dimension to the battlespace, namely that of 
IW, serves to aggravate the problem. A new generation of simulations and gaming environments 
is needed that not only generally minimizes built-in assumptions on human behavior, but also 
captures in particular the implications and impact of sophisticated information warfare types of 
attacks. 

Because of our perceived lead in offensive information warfare capabilities, not everyone 
understands the need for defensive information warfare preparations. The Task Force review of 
several current Service and joint doctrine documents indicates that defensive information warfare 
matters are not adequately addressed. The Task Force strongly suggests the need to make senior- 
level government and industry leaders aware of the vulnerabilities and appreciate the 
implications. The recommended actions are shown in Exhibit 6-3. 

The awareness campaign should be designed for several purposes. The internal campaign should 
make DoD personnel more aware of the threats, vulnerabilities, and fixes and should also make 
DoD a better informed customer in the acquisition of systems, COTS products, and services. 

The external program should make DoD suppliers better aware of DoD needs and should make 
the civil agencies and the general public understand DoD dependence on infrastructures and the 
role of DoD in the information-age “common defense.” 


• IC/IW (Offense) capability breeds complacency 

• Military doctrine does not adequately address IW vulnerabilities 

• Need senior-level government and industry appreciation of 

what’s at stake 

- Pursue all avenues (briefings, conferences, articles, etc.) 

Action: 

- Establish an internal and external IW-D awareness campaign for the public, 
industry, CINCs, Services and Agencies (ASD(C3I) and Public Affairs) 

- Expand the IW Net Assessment recommended by the 1994 Summer Study to 
include assessing the vulnerabilities of the Dll and Nil (USD(P) lead) 

- Review joint doctrine for needed IW-D emphasis (CJCS lead) 

- Explore possibility of large-scale IW-D demonstrations for the purpose of 
understanding cascading effects and collecting data for simulations (ASD(C3I) 
lead) 

- Develop and implement simulations to demonstrate and play IW-D effects 
(USD(A&T) lead) 

- Implement policy to include IW-D realism in exercises (CJCS lead) 

- Conduct IW-D experiments (CJCS lead) 


Exhibit 6-3. Increase Awareness 

The Task Force recommends that the ongoing IW net assessment recommended by the 1994 
Summer Study be expanded to include an assessment of the vulnerabilities of the DII and the Nil 
with particular emphasis on those portions of the Nil upon which the Department is especially 
dependent. A brief review by the Task Force of selected joint doctrine revealed a heavy 




dependence on information and information technology without corresponding attention to 
defensive information warfare. Existing doctrine should be reviewed for needed emphasis. The 
Department should also explore the possibility of large-scale demonstrations for the purpose of 
exploring cascading effects and for collecting data necessary for simulation of information 
warfare activities. 

In addition and to the extent possible, information warfare (defense) must be realistically played 
in exercises. This will require some concerted management attention. The Task Force notes that 
since 1992, DoD policy has called for military exercises to include realistic information warfare 
play. To date, there has been very limited execution of this policy. In those cases where a 
realistic IW environment cannot be created, specific experiments should be developed to assess 
the effects of information warfare attacks. For example, policy directing the CINCs to conduct 
exercises with information warfare realism has been effect since 1992 and there has been no 
noticeable efforts to date to implement the policy. In those cases where such realism is not 
possible, specific experiments must be developed to assess the effects of information warfare 
attacks. 


6.4 ASSESS INFRASTRUCTURE DEPENDENCIES AND VULNERABILITIES 

Traditional thinking is that infrastructures, with few exceptions, are stable, reliable, and always 
available. The nation’s interstate highway system is a prime example. Consequently, the 
Departments’ operational and functional planners have not adequately addressed the possibility 
that key infrastructures such as telecommunications, electric power, and transportation might not 
be available in part to support military operations. The purpose of this recommendation, as 
shown in Exhibit 6-4, is to get the operational and functional planners to begin documenting the 
extent to which their plans are dependent on critical infrastructures and what effect infrastructure 
disruptions might have on execution of the plans. 

• Dependencies and vulnerabilities not well understood 

- Affects efforts to mobilize, deploy, employ, control and sustain forces 

- Interconnected infrastructures have common single points of failure 

- Mitigation (protection) techniques and procedures must be developed 

• The Mission Needs Statement for Infrastructure Assurance 
Modeling developed by Joint Staff will help 

Action 

- Develop a process and metrics for assessing infrastructure dependency 
(ASD(C3I) lead) 

- Assess/document operations plans infrastructure dependencies (CJCS 
lead) 

- Assess/document functional infrastructure dependencies (PSAs lead) 

- Assess infrastructure vulnerabilities (ASD(C3I) lead) 

- Develop a list of essential infrastructure protection needs (CJCS lead) 

- Develop and report to the SECDEF the resource estimates for essential 
infrastructure protection (ASD(C3I) lead with CJCS support) 

- Review vulnerabilities of hardware and software embedded in weapons 

systems (USD(A&T) lead) 


E xhi bit 6-4. Assess Infrastructure Dependencies and Vulnerabilities 
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The Joint Staff has begun to address the issue by developing a draft Mission Needs Statement fo 
Infrastructure Assurance Modeling. The MNS approach is to use modeling and simulation. This 
is probably the best long-term approach to understanding infrastructure inter-dependencies, 

potential cascading effects, etc. 

The Task Force recommends that a separate effort be initiated by the ASD(C3I) to develop an 
alternative approach using other analytical techniques that could be employed in the near term by 
the operational and functional planners to assess all critical infrastructure dependencies. Based 
on these assessments by the Chairman and the Principal Staff Assistants the Chairman should 
develop the essential infrastructure protection needs and the ASD(C3I) should develop the 
resource estimates for the needed protection. 

The Task Force recognizes that this will be an enormous task. However, the complexity and 
difficulty of the task should not be an impediment to starting the effort; “the journey of a 
thousand miles begins with a single step. 

6.5 DEFINE THREAT CONDITIONS AND RESPONSES 

Exhibit 6-5- 1 shows that, as in the traditional operations community , the IW-D operations 
community requires an alerting mechanism to heighten awareness and “ the threat 

increases. In addition, there should be some prescribed response by the IW-D operations 
community to increasing threat conditions such as minimizing the traffic on the networks, 
re “g personnel access to operational facilities, disconnecting certain systems from networks 
which are likely targets, and possibly implementing wartime modes of operation. While the 
effort is urgently needed, it will be complicated by the extensive interconnecuvity of systems and 
networks and because some actions will be required by the pnvate sector, m part, since much of 
the Defense Infotmation Infrastructure is embedded in the public switched and data networks. 

► Conditions and responses required for risk management 

- Conditions analogous to DEFCON 
— Responses might include 

• Minimize 

• Personnel actions 

• Disconnecting from the “net” 

• Use of War Mode (WARM) protocols 

• Defense of the information infrastructure complicated by 

- Interconnectivity - heightened state of alert must extend to all connected 
systems and networks 

- Reliance on private sector - may require legislative or regulatory actions 
Action: 

- Define and promulgate a useful set of IW-D threat conditions wrtuch is 
coordinated with current intelligence community threat condition 
definitions (CJCS lead) 

- Define and implement responses to IW-D threat conditions (CJCS lead with 
ASD(C3I) support) 

- Explore legislative and regulatory implications (ASP(C3I) lead) 


Exhibit 6-5-1. Define Threat Conditions and Responses 
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Exhibit 6-5-2 is an illustrative cut at what a structured threat condition and response table might 
look like. This is not a definitive threat chart. For example, “normal” is yet to be defined and 
very damaging attacks can be postulated that would not cause a noticeable increase in the number 
of incidents. Also, it should not be inferred that the Task Force believes an information warfare 
attack will necessarily escalate in a linear manner from level II to level V. An attack could be 
oriented on a specific critical target or could immediately threaten multiple centers of gravity 
within the United States. The term “special contexts” is an attempt to highlight the potential 
linkages between an information warfare attack and other circumstances that may be present. For 
example, disruption of the infrastructures supporting Fort Bragg, North Carolina, would have 
much greater impact during a deployment of U.S. forces to a crisis location than it would during 
normal peace-time training operations. 


CONDITION 

SITUATION 

REOUIRED RESPONSE 

I-Normal 

- Normal threat-crime/incompetents 

- Normal activities in all sectors 

- Normal actions and requirements 

II-Perturbation 

- 10% increase in incident reports, 
regional or functionally based 
- 15% increase in all incidents 

- Increase incident monitoring 

- Look for patterns across wide range of 
variables 

- Alert all agencies to increase awareness 
activities 

- Begin selective monitoring of critical elements 

ID-Heightened 
Defense Posture 

- 20% increase in all incident reports 

- Condition II with special contexts 

- Disconnect all unnecessary connections 

- Turn on real-time audit for critical systems 

- Begin mandatory reporting to central control 

IV- Serious 

- Major regional of functional events 
that seriously undermine U.S. interests 

- Condition II I III with special contexts 

- Implement alternate routing 

- Limit connectivity to minimal states 

- Begin “aggressive” forensics investigations 

V- Brink of War 

- Widespread incidents that undermine 
U.S. ability to function 

- Condition III/ IV with special contexts 

- Disconnect critical elements from public 
infrastructure 

- Implement WARM protocols 

- Declare state of emergency 


Exhibit 6-5-2. Sample Threat Condition and Response 


Deriving a solid set of threat conditions and appropriate responses will require some serious 
research. The various levels reflect combinatorial effects as well. For example, it is possible to 
move from Condition I to Condition V without passing through the intervening conditions. 
Condition II reflects the notion that an attack may be surgical rather than broad-based. 

6.6 ASSESS IW-D READINESS 

Information warfare defense should be viewed from a warfighting perspective. Operational 
forces should be able to detect, differentiate among, warn of, respond to, and recover from 
disruptions of supporting information services. Recovery from disruptions resulting from 
failures or attacks might involve repair, reconstitution, or the employment of reserve assets. In 
some cases, network managers may have to isolate portions of the network, including users of the 
network, to preclude the spread of disruption. Given the speed with which disruptions can 
propagate through networks, these capabilities may need to be available in automated form 
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within the network itself. Finally, there must be some means to manage and control these 
capabilities. At its heart, this is an operational readiness matter. 

A standardized process to enable commanders to assess and report their operational readiness 
status as it relates to their specific dependency on information and information services is an 
essential element of operational readiness. A standard vocabulary will enable common 
description of risk scenarios and assessment methodologies. (A more complete explanation of 
the proposed process is at Appendix C.) The use of a structured assessment and reporting 
process will help move information assurance from a global and unsolvable problem to the 
identification of discrete information and information service dependencies that illuminate 
quantifiable risk to specific information dependent activities within a commander’s sphere of 
responsibility. A similar assessment and reporting process can be applied by supporting 
elements and in the commercial sector. 

Exhibit 6-6 shows that information warfare (defense) must be mainstreamed as a readiness issue. 
A means must be developed for including information warfare (defense) issues in readiness 
reporting and a process must be developed to assess the information warfare (defense) readiness 
posture independently. The assessment scenarios differ from the threat conditions discussed 
earlier in that the assessment scenarios are used to assess readiness against a wide range of 
possible threats to specific units, missions, and functions, while the threat conditions are used to 
describe the existing threat condition to the broad interconnected population. The assessment 
scenarios are applied locally, while the threat conditions are applied globally. Standardized 
assessment scenarios could be used for planning considerations, in warning orders, and so on. 

The assessment regime provides a means for addressing variability and should be used in concept 
and operations planning. 


• Readiness assessment system 

- Need explicit process to tie IW-D readiness assessments to the ability to execute 
operational missions 

- Propose standardized, graduated assessment scenarios 

• Accident 

• Amateur hackers 

• Experienced hacker 

• Well-funded non-state purchase or hire of advanced IW capabilities 

• State-sponsored IW 

• State-sponsored IW with the active collusion of an insider 

- Propose standardized, graduated assessment regime 

• An unknown information assurance capability for a specified threat scenario. 

• Engineering estimate based on design parameters and recovery plans 

• Engineering estimate based on design, simulation exercises, and review of recovery plans, 
but no physical testing for a specified threat scenario, 

• Internal assessment organization and live contingency plan exercise 

• Independent security assessment organization and live contingency plan exercise 

Action: 

- Establish a standardized IW-D assessment system for use by CINCs, 
MilDeps, Services, and Combat Support Agencies (CJCS lead) 


Exhibit 6-6. Assess IW-D Readiness 
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• Readiness reporting system 

- Need a standard IW-D preparedness reporting system using assessment 
factors from previous exhibit 

Action: 

- Incorporate IW preparedness assessments in Joint Reporting System and 
Joint Doctrine, for example (CJCS lead): 

• SORTS (Status of Resources and Training System), Joint Pub 1-03.3 

- Add IW preparedness to overall unit readiness rating (C-Level) 

• CSPAR (CINCs Preparedness Assessment Report), Joint Pub 1-03.31 

- Add explicit review of IW to review of Ops/Con Plans 

• CSAAS (Combat Support Agency Assessment System), Joint Pub 1-03.32.1 

- Address IW preparedness in new annual CSAAS cycle 

• Joint Tactics, Techniques, and Procedures for Base Defense, Joint Pub 3-10.1 

- Include IW, apply to CONUS and OCONUS bases 

• Joint Doctrine for Operations Security, Joint Pub 3-54 

~ Add IW posture to assessment factors 

• DISA Communications Spot & Status Reports, Joint Pub 1-03.10 

- Modify to include status reporting on major computing resources 

- Include CSAs, MilDeps and Service mobilization & sustainment assets 


Exhibit 6-6. Assess IW-D Readiness (Continued) 


The Task Force recommends that the Chairman of the Joint Chiefs of Staff incorporate 
information warfare preparedness assessments in the Joint Reporting System and into Joint 
Doctrine. The systems, reports and publications cited are only examples that the Task Force 
reviewed to illustrate how these assessments might be incorporated. Additional details will be 
provided in the written report. 

6.7 “RAISE THE BAR” WITH HIGH-PAYOFF, LOW-COST ITEMS 

There are a number of things the Department can undertake, as shown in Exhibit 6-7, that are 
relatively low cost, but that will raise the bar significantly for potential system and network 
intruders. Training and awareness have already been emphasized. The two specific examples 
are cited to illustrate the fact that there is existing Executive Branch policy regarding this matter 
and that the use of banners to alert users is a good way to increase awareness. Certification by 
users of banner understanding is another technique to emphasize the importance. One of the 
Task Force members cited as an example the procedure used in his company. On a periodic 
basis, users of the network are presented with a security awareness quiz. If the questions are not 
answered correctly after three tries, the user must have the systems administrator provide access 
to the system or network. 
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• Training and awareness 

- Enforce provisions of Appendix 3, OMB Policy A-130 

- Use banners 

• Improve security of DoD’s unclassified computers 

- Access control (get rid of fixed passwords!) 

- Identification and authentication 

- Much more effective than encryption in “raising the bar” 

• Promote use of government approved commercial 
security technologies 

- Support JWCA Phase 5 plan of action 
Action (ASD(C3I) lead: 

- Direct the immediate use of approved products for access control 

• As an interim until a MISSI solution is implemented 

• For those users not programmed to receive MISSI products 

- Examine feasibility of using approved products for identification 
and authentication 

- Require use of escrowed encryption for critical assets 

• Preclude rogue employee from locking up systems and networks 

• Data bases, program libraries, applications, transaction logs 


Exhibit 6-7. “Raise the Bar” With High-Payoff, Low-Cost Items 


One of the most important acts is to improve the security of DoD’s unclassified computers by 
instituting dynamic access control and authentication of users. Until this is done, the Department 
has little assurance that it has any control over these systems, many of which are essential to 
critical support functions. The Department should also promote the use of existing commercial 
and government security technologies. 

The Task Force recommends the immediate use of commercial access control technologies for 
this purpose. These technologies can be used as an interim solution for MISSI and as a solution 
for those users not programmed to receive MISSI. The Department should also explore the 
feasibility of using approved commercial products for identification and authentication and 
continue its plans for the use of escrowed encryption, particularly for the protection of critical 
assets. 


6.8 ESTABLISH AND MAINTAIN A MINIMUM ESSENTIAL INFORMATION 
INFRASTRUCTURE 

The current information infrastructure which supports telecommunications, power, 
transportation, etc., is susceptible to IW attacks, and in particular to wide-scale coordinated 
attacks aimed at disabling or disrupting government as well as commercial systems. A strategy 
and overall architecture concept must be developed for a minimum essential information 
infrastructure (MEII). This minimum infrastructure can serve as a means for restoring services 
and adapting to wide-scale outages. Milstar should be investigated as a means for determining 
available connectivity and providing modest but critical packet data service for exchange of 
routing, node status, and other essential network management information. In this role, Milstar 
would be supplemented with available commercial resources as possible and as needed. 
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The concept should consider the applications and deployment of secure gateways connected to 
Milstar ground station equipment and reallocated Milstar assets as a hardcore network for use in 
restoring critical connectivity. The authentication of commercial wireline and wireless network 
access through the gateway to the hardcore network is a critical issue, and must be addressed. 

In addition to an overall MEH architectural concept, minimum essential services, an operational 
concept, and a management structure must be developed. A strategy must be developed for 
transitioning from peacetime or normal operational activities to the minimum essential 
information infrastructure. It will be important to execute the transition strategy in the context of 
exercises. 

The minimum essential information infrastructure capability shown in Exhibit 6-8 could serve 
the Department for critical missions and functions and could serve the nation for other national 
security-related functions. The 1995 DSB Summer Study titled Investments for Century Military 
Superiority recommended a minimum essential C3 capability. Included are the specific 
recommendations leading to that capability. 


• Current NII/DII is vulnerable 

- Not designed for resiliency or repair 

- Cannot fully depend on public switched network 

• Need 

- Failsoft infrastructure to support critical functions while under attack 

- Failsafe minimum infrastructure 

- Failsafe capability to manage restoration independent of the public 
switched network 

• Core capabilities exist 

- Milstar 

- Government Emergency Telecommunications Service (GETS) 

- Telecommunications Service Priority System (TSP) 

- National Telecommunications Management Structure (NTMS) 

- Etc. 

• Critical interaction of fuel, power, and telecommunications 

• Base on infrastructure dependency assessments 

• Build on 1995 DSB Summer Study recommendation 

Action: 

- Define options with associated costs and schedules (ASD(C3I) lead) 

- Identify minimum essential conventional force structure and supporting 
information infrastructure needs (CJCS lead) 

- Prioritize critical functions and infrastructure dependencies (CJCS lead) 

- Design a Defense MEII and a failsafe restoration capability (ASD(C3I) lead) 

- Issue direction to the Defense Components to fence funds for a Defense 
MEII and failsafe restoration capability (USD(C) lead) 


Exhibit 6-8. Establish and Maintain a Minimum Essential Information Infrastructure 


6-23 



<*.9 FOCUS THE R&D 


New information security products — from biometric personnel identification devices to advanced 
firewalls — are being introduced every day into the commercial marketplace. Many of the 
products are either focused on protecting against network-based intrusions or are attempting to 
enable some form of electronic commerce. However, these products often do not scale well in 
large distributed environments, are too expensive, and are too difficult to configure. 

The Department of Defense should monitor the progress in commercial information technology 
and take care not to duplicate or reinvent the progress being driven by market forces. However, 
the commercial market will not provide the Department the necessary tools and techniques to 
rapidly and securely assemble and protect a robust, resilient, deployable information system to 
support a Joint Task Force or coalition operations. The Bosnia C2 Augmentation initiative is an 
example of the challenge. 

As cost-affordable technologies are developed, they should be given early tests in the Joint 
C4ISR Battle Center Environment. 

The Task Force is aware of several of the ongoing information system security initiatives under 
way in DARPA and has read the descriptions of other IW-D R&D efforts in the Joint 
Warfighting Science and Technology Plan and in the Defense Technology Objectives of the Joint 
Warfighting Science and Technology and Defense Technology Area Plan (both of May 1996). 
However, the Task Force suggests a tighter, more integrated focus on support to U.S. defense 
activities in the areas outlined in Exhibit 6-9. In addition. Task Force did initially consider a 
much broader and more comprehensive list of R&D initiatives required for information warfare 
defense. Because of the potential contribution of commercial security activities to some of the 
Department’s requirements, the Task Force recommends the Department should focus its R&D 
on those aspects of information protection and assurance not likely to be addressed by the private 
sector. Several Task Force members stressed that the R&D program must emphasize cost and 
operational realism. For example, it would be helpful if the primary design criteria included per- 
seat costs for installation, training, and support. 
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• Current security products are not designed to protect large 
distributed environments 

• Must devote attention to verifying security configuration of a 
rapidly assembled system for Joint Task Force or coalition 

environments 

• DoD must carefully evaluate emerging commercial technologies 

and products 

- To include testing in Joint C4ISR environments 

• Focused research effort required which involves academia, 
industry and government; however, 

- Few universities currently have related courses or research programs 

- There are no established avenues for sharing experience and knowledge in 
resilient system design 

Action (USD(AAT) lead): 

- Focus the DoD R&D program on the following areas 

• Robust survivable system architectures 

- No one event/attach should lead to failure of a critical function 

- Design should provide for graceful degradation and rapid restoration of critical 
functions 

• Techniques and tools for modeling, monitoring and management of large-scale 
distributed /networked systems 

• Tools and techniques for automated detection and analysis of localized or 
coordinated large-scale attacks 

• Tools for synthesizing and projecting the anticipated performance of survivable 
distributed systems 

• Tools and environments for IW-D oriented operational training 

• Testbeds and simulation-based mechanisms for evaluating emerging IW-D 
technology and tactics 

- Work with the National Science Foundation to develop 

• Research in U.S. computer science and computer engineering programs 

• Educational programs for curriculum development at the undergraduate and 

graduate levels in resilient system design practices 

Exhibit 6-9. Focus the R&D 

The development of robust survivable systems resistant to information warfare attack, as well as 
other types of failure, must involve major advances in technology and will require the efforts of a 
vigorous research community embracing academia, industry, and government. Prior R&D efforts 
have focused on areas such as computer and network security, encryption technology, and single 
node failures. Little attention has been paid to surviving willful malicious attack, or detecting 
and eliminating corrupt software. 

The area of robust survivable systems offers an opportunity for a unifying theme to develop a 
broad-based research effort covering the full range of 6.1, 6.2, and 6.3 research to overcome the 
current lack of significant new ideas and problem solutions. Particular emphasis should be given 
to the following areas: 

• Designing a system such that no one event/attack will lead to process failure 

• Design methods for work processes and software that enable the monitoring of functional 
activities, provide for the graceful degradation of functional activities, and ease the rapid 
restoration of functions. 
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As indicated in the previous exhibit, specific attention should be paid to verifying the 
configuration of a rapidly assembled system for use in Joint Task Force or coalition 
environments. This should include positive identification of system components with passive 
identification of users, in both the static and mobile environments. 

Regarding test beds and simulation-based mechanisms, it will be important to: 

• Verify whatever security claims are made for a product 

• Understand and model cascading events from an information warfare event 

• Understand the impact (and psychology) of multiple carefully timed attacks. 

In addition to the above, the R&D community should also consider establishing a focused effort 
on the theory, science and analysis of high assurance, massively distributed systems to include: 

• Developing rigorous mathematical approaches and principles for complex system 
analysis and synthesis. The DARPA BAA 96-40, Survivability of Large Scale 
Information Systems . 28 August 1996, provides a good start. 

• Developing advanced modeling and analysis techniques extending existing formal 
method approaches. 

• Developing advanced formalized techniques for predicting, testing, and verifying 
complex system performance. 

Finally, the Department should work with (and even possibly provide seed money to) the 
National Science Foundation to establish research and education programs for resilient system 
design in the universities and colleges. 

6.10 STAFF FOR SUCCESS 

IW vulnerability is often due to human error, insufficient training, or lack of knowledge of or 
failure to follow procedures or adhere to policy. This vulnerability represents a gap which cannot 
be closed with technology alone. Currently, capabilities of system and network administrators 
and system managers vary widely. This is partially due to a lack of appropriate training, and 
partially due to the difficulty in use of existing security products and in obtaining information on 
how to configure a system securely. 

A cadre of high-quality, trained professionals with recognized career paths is an essential 
ingredient for defending present and future information systems. It is recommended that research 
be conducted towards the development of techniques, curricula, tools, and technology 
specifically for security-focused training for system and network administrators. Developing 
partnerships with universities, colleges, existing DoD professional development programs, and 
vocational schools for the purpose of curriculum development will be an essential ingredient of 
this process. It will also be important to capitalize on emerging distributed interactive simulation 
technology to provide a realistic, dynamic, operations center-like training environment indicative 
of a real-world IW combat setting. 
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The Task Force acknowledges that there are a number of studies and initiatives under way in the 
area of information warfare (defense) training. Included in these is a recent NSTISSC review of 
training which recommended the development of a database of all available INFOSEC training 
courses. NSTISSC has also developed training standards for Systems Administrators, 

Information System Security officers, and Designated Accreditation Authorities. However, 
efforts throughout the Department do not appear to be well coordinated and there does not appear 
to be a concerted effort to train systems and network coordinators properly. 

As shown in Exhibit 6-10, the Task Force recommends establishment of a skill specialty for 
military personnel to enable the formation of a cadre of knowledgeable and experienced 
defensive information warfare specialists. The skill specialty is recommended instead of a career 
path to' ensure that operational experience is reflected in the performance of the information 
warfare (defense) duties and to preclude the possible formation of a closed community of 
experts. 

• Systems/network administrators are the first line of defense 

- Need a professional cadre - not “other duties as assigned” 

- Keep the defenses in good order 

- Serve as the “picket line” to sound the warning 

• Need IW-D skills and awareness in all functional areas 

Action: 

- Establish a career path and mandate training and certification of systems 
and network administrators (USD(P&R) lead) 

- Establish a skill specialty for IW-D (USD(P&R) lead) 

. - Develop specific IW awareness courses with strong focus on operational 
preparedness in DoD’s professional schools (CJCS lead) 


Exhibit 6-10. Staff for Success 
6.11 RESOLVE THE LEGAL ISSUES 

Legal issues can be a distraction from moving on with what can be done. As shown in Exhibit 
6-1 1, the Task Force found some confusion among the Department’s representatives regarding 
the scope of their authority to monitor systems and networks for the purpose of assessing the 
security of the systems and networks. As discussed earlier, the advent of distributed computing 
has and will continue to blur the boundaries of the systems and networks that DoD uses.. 
Confusion also stems from uncertainty over when or whether a wiretap approval is needed. All 
DoD system and network administrators should assume that any intrusion is a hostile intrusion 
and take action to minimize the effects of the intrusion and report the intrusion for purposes of 
tactical warning and to obtain necessary protective support, including law enforcement. 
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• Issues: 

- Defending DoD systems 

• DoD has needed authority, but rules must be clarified 

- Defending other government and civil systems 

• Need government-wide guidance (perhaps legislation) 

• Areas to examine include: 

- DoD assistance to the private sector (e.g. Computer Security Act) 

- Attacker of unknown nationality (intelligence versus US. persons) 

- Tracking attackers through multiple systems 

_ Obtaining/requiring reports from the private sector owners and operators of 
critical infrastructures 

Action (General Counsel lead): 

- For DoD systems, promulgate: 

• Guidance and unequivocal authority for Do D users to monitor, record data, and 
repel intruders in computer systems for self protection 

• Banners that make it dear the DoD’s presumption that intruders have hostile intent 
and warn that DoD will take the appropriate response 

• IW-D rules of engagement for self-protection (including active response) and civil 
infrastructure support 

- Provide to the Presidential Commission on Critical Infrastructure Protection 
proposed legislation, regulation, or executive orders for defending other 
systems. 


Exhibit 6-11. Resolve the Legal Issues 

To lessen the confusion, the SECDEF/DEPSECDEF should direct the General Counsel to 
explore this matter and issue rules of engagement regarding appropriate defensive actions that 
may be taken upon detection of intrusions into and attacks against DoD systems and networks. 
This should include promulgating clear guidance regarding monitoring of systems under DoD 
control and the use of warning banners on these systems. 

The SECDEF/DEPSECDEF should also task the General Counsel to propose legislation, 
regulation, or executive orders as may be needed to make clear the DoD role in defending non- 
DoD systems. This should specifically address the need for changes to the Computer Security 
Act, the capture of information on unidentified intruders (issue of intelligence collection on U.S. 
persons), the authority to conduct “hot pursuit” of intruders, and the ability to obtain reports from 
the operators of critical elements of the civil infrastructure. 

The findings and recommendations developed by the General Counsel should be provided to the 
President’s Commission to aid in their deliberation of the legislative and policy initiatives 
required for the protection of the critical infrastructures. 

6.12 PARTICIPATE FULLY IN CRITICAL INFRASTRUCTURE PROTECTION 

Exhibits 6-12-1 through 6-12-4 indicate the Task Force recommendations regarding what DoD 
should offer to, advocate to, request from, and suggest to the President’s Commission. Exhibit 
6-12-1 suggests what capabilities DoD might offer to the Commission and the nation in support 
of critical infrastructure protection. The Department should think through and propose to the 
Commission appropriate national defense response and retaliation capabilities in the event of an 
information warfare attack on the critical civil infrastructures, understanding that Defense is not 
the sole element in responding to threats to the national security. 
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Action: Offer DoD capabilitiesto the President's Commission 
(USD(P) and ASD(C3I)): 

- Improve private-sector defenses 

• Transfer R&D, share standards and purchasing power 

• Loan technical and operational expertise to civil agencies and private 
sector 

- Provide IW&TA to private sector 

• Supplement and back up law enforcement and private sector 
capabilities 

• Use IW&TA center as test bed for applicable private-sector techniques 
— Restore service to critical infrastructures 

• Use Federal Response Plan as a model 

• Explore use of Defense MEII and stand-by contracts 

• Use DoD 911 Ops Center to back up private sector capabilities 

• Plan for effective reaction and restoration 

- Response/Retaliation/Deterrence 

• Propose DoD responsibilities 


Exhibit 6-12-1. Participate Fully in Critical Infrastructure Protection 


Exhibit 6-12-2 suggests what DoD interests should be advocated before the Commission. The 
information-age war powers for the President are suggested in light of the outdated nature of 
S “tt of the Communications Act of 1934. This Act is the basis for Federd mterventton 
in assuring the operation of the telecommunications infrastructure. Critical infrastructure 
assurance goals Sn be articulated in a general fashion, but should be eventually based on the 
infrastructure dependency assessments discussed earlier in the report. 


Action: Advocate DoD interests to the President’s Commission 
(USD(P) and ASD(C3I)): 

- Continued clarity of responsibilities of the Commander-in-Chief and 
SECDEF in any policy proposed by the President's Commission 

- information-age war powers for the President (draft necessary legislation) 

- Critical infrastructure assurance goals 


Exhibit 6-12-2. Participate Fully in Critical Infrastructure Protection 

(Continued) 


In addition, there are many international aspects of information warfare that must be addressed as 
the U.S. formulates a defensive information warfare strategy that will guide DoD operations. For 

example: 


. What international regimes currently address defensive information warfare, and, if 
none what regimes should be created to address defensive information warfare? 

. What agreements must be in place to effectively deal with the threat if 

protect/detect/react capabilities require such activities as countermeasures, tunneling 
through other nation’s infrastructures, active monitoring, etc.? 

• What information warfare actions constitute an act of war? 
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• How should IW-D concerns be addf^SsSd by country teams, defense attaches, and other 
diplomats. What effect does status of forces agreements have on IW-D strategies? 

• Will the U.S. share IW-D technology (similar to President Reagan’s proposal of shared 
SDI)? 

• Will there be vilification of certain types of IW attacks (i.e., against health systems)? 

• What are the critical interdependencies with other nations infrastructures (i.e., European 
financial systems)? 

• Is it possible to coordinate crisis management for information systems of global 
importance? 

Exhibit 6-12-3 shows what DoD needs from the President’s Commission. 


Action: Request the President's Commission provide DoD 

(USD(P) and ASD(C3I)): 

- Essential critical infrastructure protection 

- A national-level IW-D structure to include organization and procedures for: 

• iw&TA center, “911” Operations Center, “411” Planning and Coordination Center 

- Coordinated infrastructure design theory, research, principles, and guidelines 

- Incentives and indemnity for private sector participation in IW-D 

- Mechanism to adjudicate the conflicting IW-D equities 

— Consolidation of continuity of government, emergency, and information warfare 
- defense planning 

- Authority for DoD, law enforcement, and intelligence agencies to conduct 
efficient coordinated monitoring of attacks on the critical civilian information 
infrastructure (without knowing the nationality or location of attackers) 
(previously discussed under “Resolve the legal issues”) 

- Procedures for DoD to provide assistance to elements of the critical civilian 
information infrastructure when these elements are attacked (previously 
discussed under “Resolve the legal issues”) 


Exhibit 6-12-3. Participate Fully in Critical Infrastructure Protection 

(Continued) 

Recognizing the difficulty of defining an appropriate role for the government and the private 
sector in critical infrastructure protection, the Task Force offers these suggested roles which DoD 
could provide to the Commission. These suggestions are based on input to and deliberations by 
the Task Force and individual panels of the Task Force. Exhibit 6-12-4 suggests such roles. 
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Action: Suggest IW-D roles for government and the private sector 
to the President's Commission (USD(P) and asd(C3I)): 

- Government 

• Legislate as necessary 

• Regulate through 

- Establishing infrastructure assurance goals 

- Promulgating best practices 

- Certifying the certifiers 

• Preparedness assessments (“due diligence’) 

• Motivate with 

- Regulatory relief 

- Tax incentives 

- Indemnification for assurance 

- Government (Continued) 

• Facilitate 

- Awareness (Informed self-protection, not government sponsored solutions) 

- Dialogue among stakeholders 

- Sharing of sensitive information 

• Threats, vulnerabilities, fixes, tools, techniques, intrusions 

- The “common defense” 

• Research, advice, training, back-up support, registry of knowledgeable personnel 

- Disaster assistance 

• Make use of government and private sector capabilities 

- DoD and other government emergency response teams 

- Commercial emergency response/disaster recovery/business continuity capability in 
each affinity group 

- Information protection practices (“fire brigades”) 

- Private Sector 

• Operate and maintain infrastructures 

• Invest in infrastructures and infrastructure protection 

• Share sensitive information within private sector and with government 


Exhibit 6-12-4. Participate Fully in Critical Infrastructure Protection 

(Continued) 



The NSTAC Model for Government-Industry Cooperation 

• Establish necessary programs (e.g., GETS, NTMS, TSPS, CPAS) 

• Share sensitive information (e.g., NSIEs) 

• Exchange general information (e.g., R&D exchange) 

• Review/generate requirements for security stds (e.g., NSSOG, SLG) 

• Conduct risk assessments (e.g., PSN, Electric Power, Finance, 
Transportation) 

• Participate in games and exercises (“The day after..., natural 
disaster exercises, Global games) 

• Enhance awareness of vulnerabilities/threats (Outreach activities) 

• Develop principles/standards for products/services (NIITF ISSB) 

• Coordinate crises operations (NCC) 


Exhibit 6-12-5. Participate Fully in Critical Infrastructure Protection 

(Continued) 

The NSTAC model shown in Exhibit 6-12-6 could serve as a model for refining the roles of 
government and industry as suggested here. Sensitive information includes threats, 
vulnerabilities, intrusions and other incidents, fixes to vulnerabilities, etc. 

Exhibit 6-12-6 suggests a model as a starting point for refining the government and private sector 
roles. 



Personal 

Business 

Public 

Infrastructure 

Government 

National 

Security 

Incompetent 

O 

0 

o 

G 

G 

Hacker 

o 

0 

o 

G 

G 

Disgruntled Employee 

o 

0 

o 

G 

G 

Crook 

o 

0 

o 

G 

G 

Organized Crime 

O/G 

O/G 

O/G 

G 

G 

Political Dissident 

0 

0 

0 

G 

G 

Terrorist Group 

O/G 

O/G 

O/G 

G 

G 

Foreign Espionage 

O/G 

O/G 

O/G 

G 

G 

Tactical Countermeasures 

... 

O/G 

O/G 

G 

G 

Orchestrated Tactical IW 

--- 

O/G 

O/G 

G 

G 

Major Strategic Disruption of US — 

... 

... 

G 

G 

0 = Owner Responsibility 

O/G = Owner Responsibility to secure. Government surveillance 
G = Government responsibility to surveil and secure 


Exhibit 6-12-6. Possible IW Target Protection Responsibilities 
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This exhibit provides another view of how the government and private-sector roles might be 
defined. It also provides the Task Force view of how target protection responsibilities might be 
assigned. The exhibit is not intended to be authoritative, but to provide a construct for discussion 
of the roles of the government and the private sector. 

Some areas are exclusively the responsibility of the owner, while others are exclusively the 
responsibility of government. It is in the areas of shared responsibility between the owner and 
the government where much work must be done to define levels of responsibility. 

6.13 PROVIDE THE RESOURCES 

Resources must be provided if a viable defensive information warfare capability is to be 
achieved. The need has been recognized in part since an INFOSEC special budget issue has been 
submitted each of the past 3 years. The Task Force has developed a rough estimate of the 
resources required to get started. The Department must make a detailed estimate. The resource 
estimates are for resources in addition to those reflected in the proposed FY 97 budget, so some 
reprogramming actions will be required for FY 97. 

The Task Force recommends that the ASD(C3I) develop a detailed plan of action to implement 
the recommendations and a detailed estimate of the resource required. 

• INFOSEC “special budget issue ” written past 3 years 

• Rough “get started " estimates provided - 
detailed estimates required 

• Requires 

- Reprogramming FY97 

- Programming FY98 and beyond 

ACTION: 

- Develop a plan and associated budget beginning in FY 97 to 

obtain needed IW-D capability (ASD(C3I) lead) (duplicated 
froml. Designate an accountable IW focal point) 


Exhibit 6-13-1. Provide the Resources 

Exhibit 6-13-2 shows the estimated resources to implement the key recommendations. These are 
the very rough estimated resources to implement the key recommendations. The Task Force 
reviewed all of the individual recommendations categorized under the key recommendations and 
estimated to $5 million granularity what the implementation costs might be. The figures are the 
totals of the individual recommendations for each key recommendation. These resources are in 
addition to the current Information Systems Security Program and other distributed information 
security costs which in the aggregate total about $1.6 billion annually. The Department should 
perform a more detailed cost estimate. 
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Major Recommendations 


1. Designate IW focal point/staff 


2. Organize for IW-D 


a. I&W/TA Center 


b. IW-D Operations Center 


c. Planning & Coordination Ctr 


d. Joint Arch/Design Office 


fc Red Team & Ind. Assessments! 


3. Increase awareness 


4. Assess infra, depend ’s & vuln’s 


5. Define threat cond’s/responses 


6. Assess IW-D readiness 


7. “Raise the bar,” ... access control 


8. Establish and m aintain ME II 


9. Focus the R&D 


10. Staff for success 


11. Resolve the legal issues 


12. Participate fully in CIP 


13. Provide the resources 


Totals 


FY 97 


FY 98 

FY 99 

FY00 

FY01 

Totals 

5 

5 

5 

5 

25 

225 

215 

185 

180 

965 

60 

60 

35 

h 30 

230 

60 

60 

60 

60 

275 

10 

10 

10 

10 

45 

45 

55 

50 

50 

225 

50 

50 

50 

50 

240 

65 

85 

135 

135 

455 

45 




90 



* Dollars in Millions 


Exhibit 6-13-2. Get Started Resources 
























































































SECTION 7 


SUMMARY 


In summary, the Department must tie several factors together, as shown in Exhibit 7-1. 


2d. Design 
for IW-D 


1. Designate 
Focal Point 



9. Focus 
the R&D 


a±T 


M. - I 1 

'mer 1 


5. Establish 
Threat Conditions 
and Responses 


Electric 

Power 

Crtt^;BmdOoRs 

| Intmtnjcturm* — f** 


Tactical 

J 

Damage Control / 

Attack 

Warning 

H 

Restoral 

Assessment 





i 


11. Resolve the 
Legal Issues 



3. Increase 
Awareness 


2. Organize for IW-D 
a. IW&TA Ctr 

b * VA 6. Assess IW-D 

c. 411+ Ctr Readiness 

d. Jt Arch/Design Office 

e. Red Team 



4. Assess 
Infrastructure 
Dependencies and 
Vulnerabilities 


10. Staff for 
Success 


Exhibit 7-1. Tie It Together 

And the Department must start immediately, as shown in Exhibit 7-2. Although all the 
recommendations are important, the check marks indicate where the Task Force believes 
immediate action will jump-start the process of getting a handle on this challenge. Again, as 
pointed out earlier, the DSB has called for action on these matters in each of the past 3 years. 
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</ i. Designate an accountable IW focal point 

2. Organize for IW-D 

3. Increase awareness 

4. Assess infrastructure dependencies and vulnerabilities 

5. Define threat conditions and responses 
sj 6. Assess IW-D readiness 

\j 7. “Raise the bar ” (with high-payoff, low-cost items) 

8. Establish a minimum essential information infrastructure 

9. Focus the R&D 

10. Staff for success 

11. Resolve the legal issues 

12. Participate fully in critical infrastructure protection 

13. Provide the resources 

Do it now! 

(DSB has been sayin g this for 3 years!) 

Exhibit 7-2. And Start Immediately! 
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APPENDICES 


Appendices are provided as background and resource information. They donot represent a 
consensus view of the Task Force and recommendations contained in the Appendices aren o t 
Task Force recommendations to the Department. Some of the appendices were used in part as 
input to the main body of this report. Other appendices are provided because they contain useful 
information for further discussion of matters addressed in the main body of the report. 




appendix a 


THREAT ASSESSMENT 


A.1 THE REALITY OF THE PROBLEM 

Advances in the information infmstmcmre and no, 

“ S l"yTab,e to do more damage with a keyboard ihan witit a bomb. 

In 1989, anotirer CSTB teport, Growing 

or hostile agents.” 

Since titose reports were written, use of Tto'^emS S^nTof ‘ 

=«^??5Sraa?s£w 

dependence is giving rise , . 0 ' he.ghtened^ncem ■ abouuhe ^nembtMy 

mf r^cmref (OT & GII)^^ch ti i^nex^rablylnked (notwithstanding inten^onally 

H»£ic,rsra'=;srs^ r » 

atssrs ^~»-r^£5SS=i r.£, 

examples as additional input: 





US Dependence on Information Systems 

Industry increasingly reliant on communications infrastructures 

— Internet presence as of May 1994 (Internet info as quoted in the Computer Security Journal, 

Fall 1995) - qtered networks* GTE had 228 registered networks; Boeing had 139 

registered Dorics; Motorola had 137 registered network; Martin Marietta had 62 registered networks; 
Lockheed had 62 registered networks 

„ “The nuII ,ber of users who have access to the Internet within companies is 
growing at a rate of 10% eveiy six months.” EDP Weekly, by Computer Age, 6 Nov 95. 

Governmental Structure of the US dependent on a tenuously 
secured communications infrastructure 

- One switch handles all federal funds transfers and transactions 
DoD information infrastructure is enmeshed 

~ with other Governmental structures and industry and pnvate citizens 
through shared resources of the electrical grid, telecommunications, and the 

Internet 

Trends 

. On line services are a $9.6B industry growing at 100% CGR 

- Address by Michael A- Braun. President and CXO of Kakida Late, Multimedia 94. 30 July IW 

• US Financial Institutions 

- transfer more than $1 trillion every day via computer 

- Federal Reserve System handles more than 24,000 wire transfers per day 

- Pittsburg Gty Paper. Vd 4. No. 34. August 24-30, 1994, pp 8-9 

. Intel Chairman Andy Grove predicts that by the end of this 

decade, PC sales will surpass 100 million units worldwide - more 
than sales of cars or TVs. 

. Egil luliussen. “Snail Computes." IEEE Spectrum. January 1995. p. 44 

• By 1993, 32.7% ofUS households had a personal computer 

- Marvin Strtm. CMU _ 

• 12 million copies of Microsoft Office have been distributed 
worldwide as of December 1995 

- Microsoft Corporation Annual Report 1995 


A.2 ASSESSMENT OF THE THREAT 

In today’s information intensive environment, the information warfare threat can come in many 
forms. The challenge in evaluating that threat, and the appropnate leve of protecnon or 
resnonse has been in sorting out the actual from the perceived, and determining the potential tor 
ESI In orler to adequate, y assess this threat, the Task Force divtded the subject 

into three categories: 

• What is known — the validated threat. 

• What is suspected — trends, indications, and the assessment process. 
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• What is unknown— potential events based on existing capabilities. 

These threats to the National and Defense Information Infrastructures vary greatly in terms of 
intent, sophistication, technical means, and potential impact. The threats can be categorized into 

the following groups: 

• Incompetent, inquisitive or unintentional blunderer; mischief makers and pranksters. 

• Hackers driven by technical challenge. 

• Disgruntled employee, unhappy customer intent on seeking revenge for some perceived 
wrong. 

• A crook interested in personal financial gain or stealing services. 

• Major organized crime operation interested in financial gain or in covering their crimes. 

• Individual political dissident attempting to draw attention to a cause. 

• Organized terrorist group or nation state trying to influence U.S. policy by isolated 
attacks 

• Foreign espionage agents seeking to exploit information for economic, political, or 
military intelligence purposes. 

• Tactical countermeasure intended to disrupt specific U.S. military weapon or command 
system. 

• Multi-faceted tactical IW capability applied in a broad orchestrated manner to disrupt a 
major U.S. military mission. 

. Large organized group or major nation-state intent on overthrowing the U.S. by crippling 
the National Information Infrastructure. 


Based on validated incidents, some of these threats clearly exist today. Others are less certain, 
but can be estimated based on available technology and analysis of continuing trends in 
development. An estimate of the likelihood for each of these threat categories is shown below. 

IW Threat Estimate 


Validated 


Existence 


Existence 
Likely but 


not Validated 


T !I/aKi ki/ • DftifnnH 


Incompetent 



W = Widespread; L = Limited 
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The information throughout this Appendix was compiled from unclassified sources and briefings 
received by the DSB from subject matter experts within the Department of Defense, and 
throughout the civilian sector. 

A.3 THE VALIDATED THREAT 

IW-related incidents date back to the mid 1980s with the growth of personal computers on a 
worldwide scale. 


IW-Related Incidents 

• Hanover Hackers. late 1980s 

• Software time bombs in Public Network switches in 

Denver, Atlanta, and New Jersey. mid-1989 

• Dutch teenagers intrusion into Pentagon computers 

during the Gulf War. Nov 1 991 

• Rome Labs INTERNET intrusions. Apr 1994 

• Organized crime attack on Citibank. Aug 1994 

• INTERNET Liberation Front: 22-man group; 

4 currently indicted. Dec 1994 

• Numerous other hackers apprehended and awaiting 

prosecution (e.g. Mitnick, Poulsen). Ongoing 

• Sniffer programs found on all major INTERNET providers. 

• MCI Communications switch penetrations. 

• USAF Captain hacks into U.S. Atlantic Fleet ship 

computers as a test of system vulnerability. Sep 1 995 


There Really Is A Smoking Gun 


The well known case involving the Hanover Hackers is one of the first recorded incidents and is 
considered to be an example of hacker activity performed for the challenge of gaining entry into 
someone else’s system— without malicious intent. 

Although most Public Network (PN) attacks are aimed at accessing other systems, or avoiding 
toll charges, the software time bomb attacks indicate that denial of service was the objective. 
(Note: References are at Attachment 1 to this Appendix). In the case involving Dutch teenagers, 
sensitive information related to U.S. war operations during Desert Storm was modified or copied. 
Access techniques used in this case included INTERNET and other networks." The Rome Labs 
incident is another highly publicized case which eventually revealed that over 1 50 INTERNET 
intrusions had occurred between 23 March and 16 April 1994. The intrusions were 
accomplished by a 16-year old British hacker and an unknown accomplice. Several research 
programs and systems were compromised through the use of Trojan Horses and Network 
Sniffers. The individual was eventually apprehended by Scotland Yard, and is awaiting 
prosecution. 3 

In the 1994 attack on Citibank, an international crime group used the electronic transfer system 
and the international phone network to gain access and transfer approximately $12M to their own 
accounts. Prosecution of individuals apprehended in Russia and several European countries is 
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pending at this time. 4 In December 1994, a group known as the WTERNET Liberation Front 
Z chLed with stealing phone net data, performing INTERNET attacks for money, and 
development of highly sophisticated attack tools. Numerous phone, oma ™" 

INTERNET providers were attacked, including some government sys ems. 
aLantial international component to their activity based on membership H ' 

countries. 5 The MCI incident involved an engineer who electronically collected 60,000 cal g 
card numbers and sold them to an international crime nng. To accomplish this task, th 
individual penetrated several barriers which could have shut down the switch for a prolonged 

period. 6 

A firtsai #»vnmnle is a case involving a programmed test of electronic systems vulnerabilities. An 
™e taker remotely entered die command and comrol system of a ship a, sea, through use 
of a standard computer, INTERNET connection, and the E-mail system onboard the ship. 
SIS navigational control systems which could have effected ship performance 

or response to guidance commands. 

The cases listed here are certainly not an all-inclusive list. They do support an alarming trend 
teward widespread vulnerability on a case by case basis. The major concern involves what the 
potential outcome would be if these types of attacks were coordinated to occur simultaneou y, 
if the tools and techniques used were applied with a more subversive intent. 

A.4 THE SUSPECTED THREAT - AND THE ASSESSMENT PROCESS 

In order to more clearly identify the suspected threat, the Task Force considered a variety of 
sources for analytical support, and paid particular attention to some of the more detailed threat 
and vulnerability assessments accomplished within the last year. 

The Defense Information Systems Agency (DISA) conducted an extensive vulnerability 
assesOTientofgwemment network systems in 1994 and 1995. A summary of the DISA focus, 
and findings is shown below 8 : 


IW Assessments - DISA 

(Developing the Information Warfare Defense: A DISA 

Focus: 

• DISA ability to support defensive information warfare (DIW) 
initiatives. 

♦ Assessment of vulnerabilities. 


Report 

Perspective, Dee 1995) 


Findings: ... . 

. DISA is organized to effectively support DIW initiatives, but lacks 
personnel and funding in many key areas. 

. It is estimated that DoD is attacked about 250,000times per year, 
but only 1 in 500 attacks are detected and reported. 

DISA assessment verified that less than 5% of all attacks are 
" ever detected, and of those, less than 3% are reported. 

Meet rfamaaina attacks come from insiders, but hacker tools 
commonly available on the Internet are capable of intruding on 
a majority of DoD systems. 
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The result of this report was an increased awareness of a growing problem, but the initial actions 
were primarily focused on security awareness training, and increased training for oc 
Network (LAN) managers. Indications from DISA are that numbers of reported attacks remain 

single digit percentage levels, and the problem continues to grow. 

At the request of Congress, the General Accounting Office (GAO) conducted an assessment, 
with the report published in June, 1996. A summary of the GAO focus, findings, and 
recommendations is shown below : 

IW Assessments - GAO Report 

(Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, J 

Focus: 

. Potential for further damage to DoD computer systems. 

. Challenges DoD faces in securing sensitive information on its computer systems. 

r ,n ^Smlies on a complex information infrastructure to mapon^iriantify and 

trackenemy targets, pay soldiers, mobilize reservists, and manage supplies. 

. Use of the internet to enhance communication and information sharing has increased 
DoD exposure to attack. 

. DOD information is unclassified, but it is sensitive, and should be Protected. 

. oiSA estimates that DoD is attacked about 250,000 times per year, but only 1 .n 500 

attacks are detected and reported. . .. 

. Attackers have stolen, modified, and destroyed data and software, disabled protecbon 
systems, and shut down entire systems and networks. 

responding to incidents, or assessing damage. 

(Continued on next slide) 

Recommendations: 

. Develop departmentwide policies for preventing, detecting, and responding to 
attacks, mandating the following: 

- Report all security incidents within the Department. 

- Perform risk assessments routinely. 

- Correct vulnerabilities and deficiencies expeditiously. 

- Expeditiously assess damage from intrusions to insure integrity of data and 
systems compromised. 

. Require military services and Defense agencies to use training and other 
mechanisms to increase awareness and accountability. 

. Require trained information system security officers at all installations. 

. Continue developing and cost-effectively using departmentwide network 
monitoring and protection technologies. 

* ffSSWSS 

implementation of this computer security program. 

Results of this report have been forwarded to the Senate Armed Services Co^ttee and House 
Committee on National Security; the Senate Commttee on Appropnations^^ 

Defense, and the House Committee on Appropriations, Subcommittee on N^lS^unly.die 
Senate Select Committee on Intelligence and the Permanent Select Committee on Intelligence, 
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the Secretary of Defense; the secretaries of the military services; and the Director, Defense 
Information Systems Agency. 

The report concludes that there are significant risks based on these findings: 

• Defense cannot locate or deliver supplies promptly without properly functioning 
inventory and logistics systems. 

• Defense relies heavily on computer technology — especially a network of simulators that 

emulate complex battle situations — to train staff. 

• It is impossible to pay, assign, move, or track people without globally networked 

information systems. , 

• Defense cannot control costs, pay vendors, let or track contracts, allocate or release funds, 

or report on activities without automation. 

• Defense systems handle billions of dollars in financial transactions for pay, contract 
reimbursement, and economic commerce. 


According to the FBI and Defense Investigative Service (DIS), high technology and defense- 
related industries remain the primary targets of foreign economic intelligence collection 
operations. This finding continues a trend reported in the 1995 Annual Report The most likely 
industry targets of economic espionage and other collection activities during the past year include 
the following areas, most of which are included on the 1996 Military Critical Techno ogy ist 

(MCTL): 10 


• Advanced materials and coatings 

• Advanced transportation and engine technology 

• Aeronautics systems 

• Aerospace 

• Armaments and energetic materials 

• Biotechnology 

• Chemical and biological systems 

• Computer software and hardware 

• Defense and armaments technology 

• Directed and kinetic energy systems 

• Electronics 

• Energy research 

• Guidance, navigation, and vehicle control 

• Information systems 

• Information warfare 

• Manufacturing processes 

• Marine systems 

• Materials 

• Nuclear systems 

• Semiconductors 

• Sensors and lasers 
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• Signature control 

• Space systems 

• Telecommunications 

• Weapons effects and countermeasures. 

According to a DIS summary of suspicious contacts reported in FY95, entities associated with 26 
foreign countries displayed an interest in 16 of 18 technology categories listed m the new MCTL. 
■The U.S. considers all of the above industries to be strategically important because they produce 
classified products for the government, produce dual-use technology used m both the public and 
private sectors, or are responsible for the leading-edge technologies required to maintain U.S. 

v 10 
economic security. 

FBI Director Freeh provided the following five examples of foreign targeting activities in his 28 
February 1996 statement before the Senate Judiciary and Intelligence Committees. 

• One foreign government controlled corporation targeted U.S. proprietary business 
documents and information from U.S. telecommunications competitors. 

• Another foreign competitor acquired the technical specifications from a U.S. automotive 

manufacturer. TC 

• In violation of U.S. export laws, a foreign company attempted to acquire a U.S. 

company’s restricted radar technology. 

• Several U.S. companies reported the targeting and acquisition of proprietary 

biotechnology information. . 

• One U.S. company reported the foreign theft of its manufacturing technology regarding 

its microprocessors. 


Types of U.S. government economic information — pre-publication or unpublished insider 
data— of special interest to governments and intelligence services include: 


• Bid proposals 

• Economic, trade, and financial agreements 

• Energy policies 

• Marketing plans 

• Price structuring . . 

. Proposed legislation affecting the profitability of foreign firms operating in the U.S 

• Tax and other monetary policies 

• Technology transfer and munitions control regulations 

• Trade developments. 


Three additional case studies were reviewed by the Task Force involving a southeast U S. pon 
city, a rail traffic control center, and a 1996 Federal Aviation Administration (FAA) vulnerability 

assessment. A summary of the findings*. 
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• Port City Assessment: 

- Identified single point of failure for inst restructures supporting 
military mobilization and deployment 

• Rail Traffic Control Center Assessment: 

* Central control switching facility for east coast rail traffic. 

- Potential contributor to problems resulting in fatal Maryland 
rail collision of AMTRAC and MARC trains in fall of 1995. 

• FAA Assessment: 

- Not vulnerable today due to antiquated systems, limited 
networking, and proprietary software. 

- Upgrades will lead to vulnerabilities due to widespread use 
of COTS technologies and increased networking. 


Details of the assessment which could impact deployment of units and follow-on forces which 
rely on transport out of the port terminal region are provided in Reference 13. Investigation of 
the AMTRAK - MARC collision indicated human error, but vulnerabilities were detected in the 
control center, making it a potential single point of failure for exploitation. The FAA 
assessment, provided in briefing form to the Task Force in June, 1996, concluded that even 
though vulnerabilities were likely to grow, financial realities restricted the ability to plan 
protective measures into proposed upgrades — until mandated, or in worst case, following a major 
incident. 11 

A.5 ARE WE AWAITING AN ELECTRONIC PEARL HARBOR? 

The trends seen in development of intrusive tools on the INTERNET, growth in hacker activity, 
and related incidents cause further concern. A summary of recent trends is given below: 

IW Trends 

• Open availability of intrusion tools. 

- SATAN made available to the public, April 1 995. 

- Rootkit: Recently available, used to mask intrusions. 

• Continued growth of hacker activity: 

- Masters of Deception: Programmed attacks on phone companies. 

- Legion of Doom: Phone switching/billing, and credit card abuses. 

- Poulsen/Mitnick/Shadowhawk: Phone, system access, computer 
code abuses. 

- 5 hacker group break-in of computers at University of Washington, 

Bank of America, ITT, and Martin Marietta, (1993). 

- Operation Moon Angel: Federal agents arrest 74 hackers 
nationwide for unauthorized entry into business and government 
computers (April 1995). 

• Continued growth in reported computer crimes: 

- Academy of Criminal Justice Sciences Study indicates that 98.5% 
of participating businesses had been victims of computer theft or 
attempted theft. 

• Cell phone cloning 

• Terrorist acts: World Trade Center Bombing. 


Tools: The NSTAC Assessment of Risk to Security of Public Networks reported in February, 
1996 that SATAN, the Security Administrator Tool for Analyzing Networks, scans and reports 
system vulnerabilities, which if improperly used, could enable system attacks. It was made 
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openly available on the INTERNET in April, 1995. The report also identifies Rootkit as a tool 
which falsifies data, making detection of intrusion difficult even with state-of-the-art technology. 
Rootkit is also openly available on the Internet 

Hacker growth: Additional case study information is provided at Attachment 1 for first three 
listings. In the case of the 5-hacker group, one raid wiped out data on the Learning Link, a NYC 
public television station computer serving hundreds of schools. 2 The Moon Angel offenses 
included breaking into NASA computers controlling the Hubble telescope, and rerouting calls 
from the White House. 2 

In October, 1995 New York officials made arrests in what was declared the largest cell phone 
cloning operation in the country. Estimates are that over 27,000 phones were cloned within a 
seven month period at an estimated loss of $1.5M per day in cell phone revenue nationwide. 2 

Finally, consider the World Trade Center bombing as a case which might be a good example of 
physical versus virtual attack: Twin tower, 1 10 story building; 50,000 workers and 80,000 
visitors daily vs. Global marketplace nerve center, many City/State/Federal offices, several 
international office, $3M phone switch station, telecom for Wall Street to the World. 12 

These trends are cause for a growing concern — the unknown threat, and the potential for an 
attack having strategic significance. 

A.6 THE UNKNOWN THREAT - POTENTIAL EVENTS BASED ON EXISTING 
CAPABILITIES (THE DEVELOPMENT OF A STRATEGIC THREAT) 

Existing, easily acquired capabilities make the potential for an attack having strategic 
significance a reality. The most common capabilities for IW-related attacks are, by themselves, 
often seen as more of a localized nuisance, rather than a strategic threat. When applied in a 
coordinated attach however, the results are far more widespread. Consider the Nth order effects 
in the following example from Col Charles Dunlap’s essay, “How We Lost the High-Tech War 
of 2007”, published in The Weekly Standard, January 29, 1996: 

The Setting: (The year 2007): 

• Downsizing and cuts in military infrastructure are “off-set” by information technology. 

• COTS technology used widely by U.S. and her adversaries. 

• Open architecture provides information equality - not information dominance. U.S. 
insistence on open architecture leaves sources of information readily available to 
opponents - News media is a particularly valuable source. 

• Warfare has become even more savage - not cleaner, more high-tech. Televised atrocities 
and deaths of U.S. troops become a tool of adversaries to sway public opinion. 

The Indirect Attack - U.S. C2-Protect efforts are successful in countering direct attack - 
leading adversary to indirect attack with many Nth order effects: 
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• Mexican economy attacked - computers corrupted on a massive scale 

• Counterfeit electronic pesos flood Mexican bank accounts 

• Hyperinflation; economy collapses 

• Refugees flood into U.S. 

• Call for troops to be brought home to face domestic situation. 

The technologies required to perform this these types of attack are available today. The issue of 
whether or nor they comprise a strategic threat is more a matter coordinated timing. Some may 
come in the form of a simple attack on a target identified as a single point of failure: 


Simple Attack 

Scale of Impact 
From Attack 



Easy Ease of Attack Hard 


Relative Ease with which Attack Could be Done 


A more complex, coordinated attack takes on a multi-dimensional nature: 

Complex Attack 
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In either of these cases, the timing of the attack is what in fact may have made it strategic in 
nature. Consider the port city example: 13 

• A power outage, communications failure, or road/rail disruption would be an 
inconvenience to citizens on an average day. 

• However, these same incidents coordinated to occur at the peak of Desert Storm 
deployment could easily have constituted a strategic threat which would have altered 
arrival of troops and equipment which played a critical part in the outcome of the war. 

• Combine these with the previous examples of attacks on Pentagon computers, Rome Lab, 
Citibank, and the MCI switch, and the result is widespread loss of confidence in the 
government’s ability to respond to problems both at home and abroad. 

To demonstrate the relative ease of achieving an IW capability, the Threat Panel prepared the 
following table: 



As an example of a country heavily involved with developing their own capability, consider 
Russia. Of the 15 categories listed, Russia has a significant capability in seven categories, and a 
good capability in four (total: 1 1 of 15). These developments continue, even in the face of 
widespread economic difficulties. More importantly, almost any nation is capable of developing 
significant Information Warfare capabilities. Unlike nuclear capabilities, however, IW is 
relatively inexpensive, and quick to obtain, given the volume of available markets. Thus, a 
country such as Iran could acquire a strategic capability to threaten the United States without 
requiring a significant investment, or a long-term development cycle. 
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A.7 threat conclusion 


In order to best understand the significance of a potential IW threat, we must consider the often 
opposing views of information security between the private/commercial sector, and the national 

security view: 


Merging Two Views On Information Security Into One 

(Conceptsexpiwsed in NSA briefing -Ensuring Information Superiority for the 21st Century- , presented 
by LtGen Min than at NSTAC session. May 1996) 

National Security View: 

• Protection of information has intrinsic value - National interest. 

• Cost of compromise difficult - can be life threatening. 

• Risk avoidance approach is traditional response. 

Private Sector / Commercial View: 

• Cost of doing business - pass the expense on to the customer. 

• Countermeasures have a definite expected value. 

• “Insurance” approach is the traditional response. 

National and Private Sector Information Security Are Now Inexorably 
Intertwined: 

• Zone of cooperation is emerging. 

• Risk management approach is needed. 


Strategic Sanctuary Is At Risk 


The private sector has viewed IW as a cost of doing business that was often passed on to die 
customer. The national focus still struggles with the concept of what constitutes a strategic 
threat. The response has been to avoid risk rather than manage and anticipate it. A zone of 
cooperation is now emerging which must be better defined. 

• Where do protection, detection, and response responsibilities lie? 

• Risk management rather than risk avoidance is a critical step. 

These issues are at the heart of the defensive information warfare issues. 
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APPENDIX B 

intelligence exploitation architecture 


The Task Force was briefed by a wide vanety ^emerbec^tTp^nt. The “Changed World” ^ 
Intelligence Communities. Several consistent the impact of the “Peace Dividend, 

in which we live, the changes in threats ^ ^ ^ realize ^ informa tion, per se, has 

and our concomitant expande g Furtherj 0U r existing intelligence structure, collection, 

become a precious commodity to _..... optimized for yesteryear. Even though we 
analytic and information integration cap num ber of areas, such as from networked 

clearly need specific intelligence collection * " it became readily apparent that we do 

systems such as the INTERNET and other opens imirces decrements , often horizontal, 

not effectively exploit all the analysis processes across 

in analytic resources increase The needfo^ ^ stnlc m re nor our information processing 

"^"*eJwwor,dse.ofprohlems. 

Issues relating to Intelligence bj^i^ice collection^vestm^nt >n 

processes, strengthened IC Issue _ b usiness excellence, all point to a critical need for 

strategies, and developing areas of ^business exc* no( retu m t0 the larger number of 

rsCw parad, g m is urgent,, needed. A”NewV,s,on ,s 

proposed. M 

. .. tVio c^rretarv of Defense, should create A 
The Director of Central Intelligence in concert wit h h ^ ary would lead t0 ^ 

New Vision” for intelligence expiation L* capitation Architecture which, over time, would 
develop dienwt^^^y^n^^,^ 16 ^ system of systems) for the National Intelligence 

Community. 

Why do we need this New Vision? custom designed and 

created and bu„t during a particular regard for interfaces 

implemented and thus stove p ^d ^ sysKms were built for what became 

S— ^ charactcmucs such 

. known geography and political boundaries 

•. known n^or rations! entities, forces, units, etc. 

•. "ras"o,ving, military capabilities 

• known goals and objectives 

• known cultures and ethics 
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. parametric and other signature characteristics known to and largely exploitable by our 

. w"nStd S estab.ished data b*es, dam dictionaries and processing techniques to 
exploit and analyze observables. 

In relative terms, this was a fairly static target set for many years. 

Our world has a^llm Rwanda. Somalia 

M^H^^otdd^ern^d so much from our i^dude 1 ^^^ ^ 

for globally based intelligence, dynamic m names and nch ^ 

exploitation of open sources and networks y information. However, IC access 

addressed as part of the NIEA. 

I, is estimated that the National —ce 

^ ^ ^ .**» » - 

budget for advanced computational technologies alone. 

over the next decade. Why would we wtsh to do so? 

First, our dramatically changed 1 world has been 

time. 

Second, hardware and software technology ^3^pCTtdadof COTS^We 

open ou” ysuL to custom and monolithic! We can have 

to address changing require™.* and to take max, mum 

advantage of rapidly developing technologies. 

. j budgeted) a larger amount on information technology per 

Third, the 1S g< . manner. Today, there is neither a coherent architecture, nor 

year, but in a arge y development activities in such a way to bring together the best 

“* “ d tattroperab,e 
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meta system. Surely we riwd t^te'inthe'^st century. 

These should continue, but in the br °^ e coordinated development activity as proposed 

„ U,e past « £« « £ “™P;“" on informatio „ technology in the NFIP alone without 

S&teEJ ofltegrated capabilities we must have for the 21st cenntry. 

How would th.s work? The “New V.s.on^ouM 

by enforced building codes (standards, ’ IC d suppor ted by the expenence of, for 

activities would be parsed to specific agencies o^ ^d support y ^ ^ 
example, DoD's experience in pro mot.n^^»nme JR ^ fo[ , 

development of the GCCS. 0v =| U ™,. f d f „ wi d,in the framework of the architecture to 

* ° ne agency for " ^ of any or a " 

agencies. Let’s take but a few examples. 

,, ri a and NS A arguably have the preponderant IC 

• Text processing is crucial to us al . charged with developing several tiers of 

capability and and thence the 21s. 

text processing capabilities which wo d covertly collected information, 

century capabilities we need t0 e ^ 0 ‘ l on data vaults^archiving large amounts 

CIA, for instance, might be asked to co example. NS A might be asked 

. Image processing in all of its exploit video^such WC 

century. Thus the new National ^SSli to handle rite huge 
developing the technology, tools «n£“dijj ^on/and spacebome sensors. This is 

must lay the groundwork today for that future. 

integration of systems and a Examples of these include decision aids, 

visualization tools that work , across dispam, e sources of 

intelligence and support a collaborative community of effort. 

, i d wg strong emphasis on exploiting and integrating technology 

in each of these cases, th» w«dd be^g mi Salomon Brodters are but two 

from the private sector as we - P )aK ^ advanced information technology. We need to 

firms investing hundreds of rndhon f “ ^ resear(;h a„d development so as to leverage 

assess where the pnvate sector w'Ubep^ for R&D speclflc to IC®oD needs and for 

those developments and conserve ou 
integration of commercial technologies. 
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Over time, the IC could develop a series of interoperable systems which would be less expensive 
and more powerful by several orders of magnitude for the 21st century, than if we proceed during 
the next decade in the same mode as the last decade. 

The Intelligence Community will have to change in response to the NIEA. Carrying out the 
initiative may require a more highly centralized focus on information systems that are both 
within individual organizations and across the IC as a whole. Long-debated plans for Central 
Information Services Offices may have to be implemented to create the budgetary resources and 
organizational authority needed to guide an internal information revolution. A Central 
Information Council may be needed at the SECDEF/DCI level (perhaps to include other 
government agencies) to establish policy and to guide the IC to focus on common interests. 
Whatever organizational reforms are taken to ensure the success of the initiative, change wi 
needed to break down resistance to change, shift established patterns of investment, and enforce 
a high degree of cooperation and interoperability. 

• Investments in information systems must be shifted from operations and 
maintenance of existing, slowly-evolving systems to the development of more powerful 
and adaptable systems that are the focus of the initiative. 

• Higher levels of cooperation and coordination between the collection, exploitation and 
analytical communities are needed to support the dynamic, uninhibited research 
environment envisioned in the initiative. 

• An unconstrained research environment will break down the isolation of analysts from 
each other and the policymakers and encourage the integration of military, economic, 
ethnic, political and technological factors in analysis. Analysis standards must be 
established and enforced throughout the IC to avoid “tabloid” intelligence reporting and 
to ensure the presentation of sound, but divergent views. 

The most difficult part is to make the decision. To commit to a road map of information 
technology which will become the exploitation and analysis meta system (or system of systems) 
of the 21 st century. The target environment is an integrated, yet highly distributed, 
heterogeneous IT infrastructure which— over time-^will permit an individual in the Intelligence 
or Defense Communities to query this information environment (much as can be done today on 
INTERNET). The responses would be relevance ranked and presented in a contextual 
framework pertinent to that particular user. Thus, military commanders/CINCs, acquisition 
managers, intelligence analysts and a myriad of other users could gain access to the most 
comprehensive and broadly based information and intelligence available. Sure secunty is both 
an issue and a potential problem. Keep in mind that we are talking about the system for the 21st 
century and many of the security issues of today will be resolved either procedural^ (a la the 
Joint Security Commission Report) or technically through protective hardware and software. 
Figure 1 illustrates the concept whereby an individual seeking information “goes fishing in the 
sea of data.” The system would understand some of the context from which the query was made, 
and as the user asked additional and clarifying questions, the system builds more and more 
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relationships pertinent to the user’s yoftaw <rf Alerttag tools 

people use their phone or credit cards. 


What the User Needs 


An easy capability to extract information related to his problem 
data (national and otherwise) available on distnbuted problem 


from the mass of 
solving networks 



Figure 1. 



Figure 2 illustrates the distributed nature of the component systems. They could be spread across 
Washington, the country, or the world. The key is that, like the INTERNET, the user does not 
have to know where information is stored in order to retrieve it! His query will seek data through 
the network of servers/routers/switches that dynamically interface the systems. Although today’s 
INTELINK is a significant improvement over a couple of years ago in accessing intelligence 
from remote, distributed agencies and commands, it relies on pre-identified and indexed 
intelligence. What we need for the future is a system that aids the user in finding “unknown” 
information. 


An Integrated Architecture 



Agenties/Commands 



Figure 2. 
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Figure 3 shows how an integrated interactive multi-media workstation would have (or access) 
decision aids, correlation and fusion aids and visualization tools to provide the user the most 
pertinent and timely information. There is no intent to create and keep current monolithic data 
bases from which searches would be made. Data bases, as we currently know them, are 
necessary but hardly sufficient for our 21st century purposes. More about that shortly. 


Concept for an Integrated Interactive Multimedia 
Distributed Exploitation and Analysis Network 



Figure 3. 


A powerful aspect of this proposed National Intelligence Exploitation Architecture is that this 
identical infrastructure could support all of DoD, or all of the government. The tools, techniques, 
technology and integration required to build and implement this system, need only to provide 
access to the data sources others might need to serve all of DoD or all of Government. Surely 
there would be requirements for domain specific tools, decision aids and presentation unique or 
nearly unique to particular user communities. But the underlying infrastructure would be as 
widely applicable and robust for all, as is the INTERNET today and tomorrow. There is within 
the DoD a Common Operating Environment (COE), used principally as the core of the GCCS 
and some other C2 systems. This may offer a starting point— a building block— from which 

design the NIEA. 
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Surely many of the issues associated With the successful implementation of this architecture seem 
intractable today. A great deal of technology R&D and technical development must be 
accomplished and integrated over time to achieve these goals. This is a journey we believe is 
absolutely essential. Our existing “stovepipe” systems were built with old technologies under 
different paradigms. We have a new world, and a new paradigm for sharing information — most 
of which will now be unformatted, in contrast to most information in existing intelligence data 
bases. 

Most of the existing analytical support systems in use today deal with three major types of 
information in various storage sizes (e.g., megabytes to terabytes). The information types are: 

• Fixed-format database - file, record, field with predefined field sizes and attribute names. 
Collected data which cannot be fitted within the existing data definition must be 
discarded, since there is no way to store and retrieve it. 

• Free-form text databases - unformatted messages, open source materials, etc. 

• Pictorial or graphic databases - graphics, imagery, etc. (Note: these are largely still 
images, with limited animation or video.) 

Enormous effort has gone into developing automated systems to support filing collected 
information into one of these types such that it can be queried, retrieved, and disseminated using 
existing (circa 1980) indexing and database technology. The “New World Order” and the 
emergence of new database types such as analog and digital video, voice, and new National 
collection capabilities are generating a need for tools and techniques for dealing with extremely 
large data vaults. 

The term data vault describes a repository of data of information in a multiplicity of formats - 
Boolean, single character, character string, or numeric fields; free-form text; and “blobs” (Block 
of Bytes). Blobs can contain images, digitized audio, video, etc. Dealing with data vaults of the 
magnitude which we can now collect will require substantial innovation in relational and/object 
oriented database storage, indexing, and retrieval that are needed are: 

• High speed, high volume storage and retrieval, including full automated stuffing of 
formatted databases from text messages and packed parameterized data streams. 

• Automated means of storing, indexing and accessing blobs of non-textual materials 
(graphics, imagery, video, etc.) by content. 

• High speed data transmission of the contents of entire data vaults or subsets thereof. 

• Super high performance object database systems. Automatic format recognition and 
transformation. (Simple example: PICT to TARGA and the reverse. More complex 
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examples: Rembrandt or PictureTel to Fractal or DVI and reverse. Model 204 to SQL 
and Back.) 

• “Profiling” of non-textual materials better than the way we now do text and messages. 

• Fully automated formation of hyperlinks. 

• Case Frame of Concept-based retrieval. 


• Intelligent User Assistance Agents (“knowbots”). 


• Self Organizing databases (especially text, imagery, video, etc.). 

• Superior query techniques for sporadic users who are not (and do not have time to 
become) data retrieval specialists (see next section). 

• All of this within a secure environment (classified and unclassified). 


There are a number of systems under development which may attack some of these issues. For 
example, EOSDIS will collect, store and make accessible on the order of terabytes a day. 


Refer back to Figure 1 which illustrates the capability needed for the user in response to the 
explosion of dissimilar information to which we have and need access and understanding. The 
technologies cited above can be referred to as those necessary to provide Distributed Problem 
Solving (DPS) capabilities to intelligence analysts and others. 


While we attempt to attack the multi-source correlation and fusion problem with the automation 
we often overlook the finest and fastest correlation system available - the human eye ear, and 
brain. Further, almost since the beginning of application of ADP technology to intelligence 
problems, analysts have asked for a smart map. 


The third fundamental piece of the puzzle is finding ways of displaying complex and voluminous 
disparate data streams such that our premier correlation tool can visualize them. A true smart 
map is one presentation approach, to which almost any analyst can relate. Some of the features 
included in smart maps would be: pan and zoom, movable viewpoints, active regions, alerts and 
alarms, validity representation and so on. 


In addition to these smart map capabilities, we need better ways to visualize dynamic phenomena 
such as occurrences of scenario events with respect to time, and to integrate temporal and spatial 
relationships in displays, operations clocks, etc. These need to be integrated with the smart map 
display with corresponding active regions on the timeline displays such that the analyst can 
access the same information from either place. Display techniques are needed to allow 
visualization of problems with dimensionalities higher than four (three-space + time). 
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Additionally, efforts in voice recognition technology could minimize keyboard entry of database 
and knowledge base input and queries. 

The technologies cited above (and a number of others such as imagery processing, compression 
techniques, interactive multi-media, etc.) represent a panoply of capabilities, some of which are 
far more attainable or cost effective than others. Some are more likely at the end of a decade, 
others reasonably soon. Much of the needed technology is being developed, or will be developed 
in the private sector. Systems for voice recognition and understanding are already replacing 
commercial telephone operators; office work stations are already taking dictation; personal 
computers are translating scientific journals from Japanese into English. Image understanding 
systems are being used to read x-ray mammograms and inspecting cell cultures. Advanced 
computer systems are being used by commercial airlines for resource allocation and logistics 
planning beyond human capabilities. Other applicable commercial developments include 
worldwide, point-to-point voice, compressed data, and even encrypted communications for 
cellular phones and the INTERNET. The entertainment industry is investing huge sums to 
develop new wideband data distribution systems (i.e., high definition television) and direct, 
digital broadcast satellites.) These are all technologies which are directly applicable and will be 
developed far faster by commercial industry than by the government. 

These technologies need not be developed twice. The trick, or course, is to pick the right ones; 
fit them into a critical path, and integrate them into the National Intelligence Exploitation 
Architecture. This drives us to realize that integration, per se, is becoming and must become a 
technology in its own right. Advanced integration tools, techniques and testing require 
significant development. DARPA, in concert with the private sector, is the obvious candidate to 
tackle these issues. 

The challenge then for the Intelligence Community (the DCI and SECDEF) is to: 

• Develop the “New Vision.” This should be accomplished working with the customer 
base to derive a set of design objectives for the National Intelligence Exploitation 
Architecture. Next, 

• Develop the basic system architecture road map; evaluating various technologies and 
approaches, and then 

• Create a detailed program plan to implement the infrastructure, and 

• Make needed organiz ati onal adjustments to ensure the program is earned out. 

It is believed that adequate funds are present in existing NFIP (with partial DARPA support) 
budgets to support this architecture. Success would take commitment to a coherent road map and 
parsing varied development activities to agencies which would essentially become centers of 
excellence for varied components of this architecture. This program provides the framework for 
our 21st century intelligence exploitation and analysis support to government. 
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appendix c 


A TAXONOMY FOR INFORMATION WARFARE? 


Taxonomy: , . . . 

1. The classification of organisms an ordered system that indicates natur re atio p 

2 The science, laws, or principles of classification; systematics. 

3. Division into ordered groups or categories: “Scholars have been laboring to develop a 
taxonomy of young killers (Anc Press). 

[French taxonomie: Greek taxis, areangement; see TAXIS ♦ -nomie, method (from Greek - 
nomia; see -NOMY).] American Heritage Dictionary 

hne ^ m anner beyond three lev^. a particdar process, over variable 

“I" K?vln of the taxonomy is discussed latter in tins Append, x. 

However, by adopting concept 

htfOTrtmtiorTdependent processes, was developed for information warfare defense. 

Such a tailored warning assessment and 

each civil agencies and in varimK omainso c evaluate the operational readiness of 

“riZ sytms administrators and nsers of information and information systems. 

^^^paitition^ng^nncreasingly robust - - *“"« 

assessments follows: 

ex j inrincion of accidental failure is important because in many cases the 

’ Ture of Mure may never be determined but it is still important to know the range of 
potential effect on the information dependent process.), 

2) amateur hackers, 

3) experienced hackers. 
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4) well-funded non-state group or actor able to purchase or hire advanced information 
warfare capabilities, 

5) state-sponsored information warfare, and 

6) state-sponsored information warfare with the active collusion of an authorized insider 
(worst case). 

A standardized set of methods for assessing information dependent processes should be used so 
that reporting is consistent across a wide range of information dependent activities. A proposed 
partitioning of assessment methods follows: 

a) an unknown information assurance capability for a specified assessment scenario, 

b) an engineering estimate of information assurance, based on a review of design and 
recovery plans, but no physical testing for a specified assessment scenario, 

c) an engineering estimate of information assurance, based on design parameters, simulation 
exercises, and the review of detection capabilities and recovery plans, but no physical 
testing for a specified assessment scenario, 

d) an internal information assurance audit by an internal but independent organization, based 
examination of the written record of security and accidental incidents and responses from 
a live contingency plan exercises designed to simulate a specified assessment level 
defined above, 

e) an internal information assurance audit by an internal but independent organization, based 
on testing and examination of security and accidental incidents and responses from a live 
contingency plan exercise designed to simulate a specified assessment scenario defined 
above, and 

f) an information assurance audit by a totally independent security assessment organization, 
based on testing and examination of security and accidental incidents and responses from 
a live contingency plan exercise designed to simulate a specified assessment scenario 
defined above (most stringent test case). 

Note that all organizations would not be expected to meet the most stringent assessment scenario. 
The application of an evaluation level would be determined by the criticality of the information 
dependent process to the overall activity. 

In such an information assurance, planning, testing and evaluation construct, the most robust and 
resilient organization would have demonstrated a 6-f capability of information assurance. 

Although not a taxonomy of information warfare, this approach provides a standard vocabulary 
for assessing and reporting operational readiness of organizations to carry out information 
dependent processes in an information warfare environment. This construct also provides a basis 
for developing an information warfare readiness r eporting process. 

Within the Department of Defense, suitable information assurance reporting criteria along the 
above lines should be added to the Status of Resources and Training System (SORTS) (or a 
SORTS-like report); Communications Spot Report (COMSPOT) and daily Communications 
Status Report (COMSTAT); annual CINCs Preparedness Assessment Report (CSPAR); Combat 



Support Agency Assessment System (CSAAS); and the Base Defense and Operations Security 
evaluation schemes. 

In addition to preparedness assessments, which address specific information dependent processes, 
a generalized threat warning system is needed to communicate a heightened level of alert to 
numerous interconnected information dependent activities. 

Design of a warning system is complicated by the interconnectivity of the national (and global) 
formation insecure. A heightened state of alett must extend to all connected systems but 
at higher threat levels appropriate actions could include disconnecting from the infrastructure 
a warning method is needed that does not fully depend upon the interconnected infrastructure. 
Conceivably, preparation could include “war modes” that extend across lower levels of network 
protocols (physical level through transport layer protocols). In addition, a workable infomauon 
warfare alert Lid response process will require a comprehensive legal, regulatory and operational 

infrastructure. 

Detection of information warfare attacks will likely not come directly from intelligence or the 
managers of individual systems. “Warlike” attacks may have many diverse targets but probably 
will not follow the pattern of normal thefts or disruptions caused by amateur intruders, except as 

cover, concealment or deception. 

Reporting of incidents, particularly of attacks on civil information users of national interest will 
neither te automatic nor directed to a common point unless a distributed structure is created now, 
like the Center for Disease Control. Creation of a distributed reporting structure that filte 
upward with a focus on finding broader and broader patterns through indirect measurement and 
iterative analysis is essential as most “problem” detection will take place locally m a very 
decentralized fashion without the necessary visibility to detect the linkages between apparent y 

unconnected events. 

The Tactical Waming/Attack Assessment functions will require the synthesis of diverse and 
apparently unrelated information. Specialists in offensive information warfare should be 
included in the make-up of Department of Defense and national TW/AA centers to ensure 
suitable tradecraft is applied to the TW/AA process. 

On receipt of an information warfare alert message or threat condition, the individual managers 
of information dependent processes could initiate appropnate defensive actions to include 
disconnecting from the shared infrastructure. Although Alert Conditions could be issued asa 
result of strategic warning, most would be triggered by an aggregation of tactical warning reports 
of individual incidents which will show a pattern of an attack rather than isolated inciden . 

A set of proposed information warfare (IW) Alert Conditions and Responses for use by the 
Federal government, in both civil and national security activities, follow: 

IW Alert Condition I 


Situation -Normal 

Normal level of threat from accident, crime and amateurs 
Normal level of unexplained activities in all sectors of the nation 
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Response Required: 

Normal protective actions to include: 

• Due diligence in protecting information systems and assets 

• Reasonable level of maintenance activities 

• Compliance with IRS transaction auditing requirements 

• Compliance with all applicable rules, regulations and laws 
Normal level of unexplained activities in all sectors of the nation 

IW Alert Condition II 

Situation - Perturbation 

a) 10% increase in incidence reports, either regional or within a functional information 
dependent activity of national interest 

• Regional would include a large communally served geographic area 

• Functional would include sectors of the infrastructure, including but not limited to 

— Sector systems, such as medical systems or financial systems 
— Telecommunications service providers 
— Public utilities 

b) 15% increase in all incidents 

• Not limited to obvious infrastructure connections 
Response: 

Increase incident monitoring and cooperative analysis 
Look for patterns across a wide range of variables 

• Including source, users, time, connection, and type of equipment 
Alert all agencies to increase awareness of activities 

• Including Federal agencies, regulatory bodies, trade groups, professional 
organization, and corporate entities 

Begin selective monitoring of critical information services 

• Initiate expanded audit and tracking capabilities with increased reporting to central 
manager 

IW Alert Condition III 

Situation - Heightened Defense Posture 

a) 20% increase in incidence reports across the board, even with no apparent connection 

b) Condition II with special contexts 
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Contextual sensitivity subject to integration with all other operations and activities 
of the U.S. 




Response: 

Disconnect all unnecessary connections 

• Advisory notices broadcast over diverse media to all elements of infrastructure: an 
IW emergency broadcast warning 

• Limiting connections should force a channeling of hostile activity and reduce the 
number of backdoors that can be exploited 

Turn on real time audit for critical information systems 

• Augment audit analysis teams to handle the increased loads 
Begin mandatory reporting to central manager 

• Support forensic investigations and help determine the identity of the aggressors 

IW Alert Condition IV 

Situation - Serious Situation 

a) Major regional or functional events that seriously undermine U.S. interests 

b) Conditions II or HI with special contexts 

• Contextual sensitivity subject to integration with all other operations and activities 
of the U.S. 

Response: 

Implement alternate routing 

• Example: replace a beleaguered switch with an ACTS satellite until the system can 
be rebuilt 

Limiting interconnectivity to minimal states 

• Begin triage to protect the main body 
Begin “aggressive” forensics investigations 

• Require legal back-up to allow active tracing of activities independent of identity 
or citizenship constraints 

• Includes proactive defensive measures 

• Includes intent to prosecute or exact retribution 

IW Alert Condition V 

Situation - Brink of War 

a) Widespread incidents that undermine U.S. ability to function 

b) Conditions m or IV with special contexts 
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• Contextual sensitivity subject to integration with all other operations and activities 
of the U.S. 

Response: 

Disconnect critical elements from the public infrastructure 

• Deploy the Minimum Essential Information Infrastructure and temporary systems 
as required 

Implement WARM protocols 

• For critical systems, implement alternate protocols for network to transport layers 
of systems 

Declare state of emergency 

Prepare for warfare, including retribution against aggressors using the full force of the 
U.S. 

Consideration of A Taxonomy for Information Warfare 

Many of the definitions, concepts and words that follow are drawn from the Joint Publication 
System, and in particularly from the Joint Doctrine for Command and Control Warfare and the 
Joint Reporting Structure. 

The central concept of information warfare is straightforward: The ultimate target of information 
warfare is an information dependent process, whether human or automated. The use of the word 
"warfare" should not be construed as limiting information warfare to a military conflict, declared 
or otherwise. 

The root concept of information warfare is offensive in nature. In turn, the concept of 
information w airfare defense flows from the offense. This is not surprising as most defensive 
actions (counter-air, anti-submarine warfare, counter-mine, anti-crime, anti-drug) only have 
meaning within the context of action-reaction. Offensive information warfare targets 
information or information systems in order to affect the information dependent process, whether 
human or automated. Defensive information warfare protects the information dependent process, 
whether human or automated 

The question of interest is whether a useful taxonomy information warfare can be derived. 

In Joint Pub 3-13.1, Joint Doctrine for Command and Control Warfare, an "information system" 
is defined as the organized collection, processing, transmission, and dissemination of 
information, in accordance with defined procedures, whether automated or manual. This 
includes the entire infrastructure, organization, and components that collect, process, store, 
transmit, display, and disseminate information. It includes everything and everyone that 
performs these functions — from a laptop computer to local and wide-area voice and data 
networks, broadcast facilities, buried cable and, most importantly, the people involved in 
transmitting, receiving, processing, and using the information. People, decisionmakers at all 
levels, are the most important part of the information system. 
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However, information systems themselves are part of larger information infrastructures. These 
infrastructures link individual information systems in a myriad of direct and indirect paths. The 
growing information infrastructures of today transcend industry, media, and the military and 
includes both government and non-govemment entities. The collection, processing, and 
dissemination of information by individuals and organizations comprise an important human 
dynamic, which is an integral part of the information infrastructure. A news broadcast on CNN, 
a diplomatic communique, and a military message ordering the execution of an operation all 
depend on the global information infrastructure. The information infrastructure has been 
assigned three categories global information infrastructure (GII), national information 
infrastructure (Nil), and defense information infrastructure (DII). 

• The GII is the worldwide interconnection of communications networks, computers, data 
bases, and consumer electronics that make vast amounts of information available to users. It 
encompasses a wide range of equipment, including cameras, scanners, keyboards, fax 
machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, 
fiber-optic transmission lines, microwave, nets, switches, televisions, monitors, printers and 
much more. The GII, however, includes more than just the physical facilities used to store, 
process, and display voice data. The personnel who operate and consume the transmitted 
data constitute a critical component of the GII. 

• The Nil is the subset of the GII within the U.S. used for social, economic and national 
security activities. 

• The DII is the shared or interconnected system of computers, communications, data 
applications, security, people, training, and other support structures serving DoD’s local, 
national and worldwide information needs. The DII connects DoD mission support, 
command and control (C2), and intelligence computers through voice, telecommunications, 
imagery, video and multimedia services. It provides information processing and services to 
subscribers over the Defense Information Systems Network. It includes C2, tactical, 
intelligence and commercial communications systems used to transmit DoD data 

In actuality the GII, Nil and DII labels are misleading as there are few distinct boundaries in the 
information environment. The DII, Nil, and GII are inextricably intertwined, a trend that will 
only intensify with the continuous application of rapidly advancing technology. Again, no 
ordered structure is readily apparent on which to base a taxonomy. 

If information warfare targeting and information warfare defense are shaped by particular 
information dependent processes then perhaps ordering information dependent processes will 
lead to a structure. However, only a little reflection leads to the conclusion that there are an 
infinite variety and scope of information dependent processes. Clearly, there is no "ordered 
system" that will tie these potential processes together, other than the shared characteristic of 
depending on information. Enumerating information dependent processes will not yield a 

taxonomy. 

What of the methods of information warfare? Consider that attacks and defenses may involve: 

• Physical attacks the components of the information infrastructure, e.g., computers, 
communications devices, software, cables, control devices, etc. 
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• Physical attacks on the components containing or supporting the information 
infrastructure such as buildings, power systems, environmental services. 

• Physical attacks on or the subversion of the people (witting or unwitting) who operate 
elements of the information infrastructure. 

• Physical destruction of information (erasure or over-write) without harming the 
infrastructure components. 

• Logic (malicious code) attacks on the components of the information infrastructure, e.g., 
computers, communications devices, software, control devices, etc. 

• Logic attacks on computer-controlled components supporting the information 
infrastructure. These may include air conditioners, air handlers, power distribution, and 
cooling water. 

• Attacks on information provided via the information infrastructure that is used by a 
specific function(s) (e.g., deception operations, and insertion of false information). 

• Corruption of information using logic or digital attacks without harming the components 
of information infrastructure. (The greatest harm may result from an attack which 
corrupts or injects false information in a manner that cannot be detected by the users of 
that information who subsequently take actions based on the corrupted or false 
information.) 

• Combined attacks where both physical and logical attacks on the information 
infrastructure or supporting elements are undertaken in combination to either mask one or 
the other types of attack or to obtain the benefits of a combined attack. 

From the above it follows that at the highest level information dependency can be partitioned into 
two elements: one, the availability of information needed by the process; and two, the integrity of 
information used in the process. Some would add a third element, the confidentiality of 
information, as it is an important factor in many civil and military information dependent 
processes. In the following derivation all three are addressed. Note that this trial taxonomy is 
irrespective of the offensive or defensive actions that may be undertaken to achieve or defend 
against these conditions it is just a structure for information warfare. 

A top-level taxonomy for information warfare 

Availability of information or information services 

Loss of information 
Detected on occurrence 
Detected after n* units of time 
Undetected 

Delay in receipt of information 
Detected on occurrence 
Detected after n units of time 


Undetected 

Loss of an information service 
Detected on occurrence 
Detected after n units of time 
Undetected 

Delay in an information service 
Detected on occurrence 
Detected after n units of time 
Undetected 

Integrity of information 
Unauthorized change in data 
Detected on occurrence 
Detected after n units of time 
Undetected 
Insertion of false data 
From a correct source 
Detected on occurrence 
Detected after n units of time 
Undetected 

From an incorrect source 
Detected on occurrence 
Detected after n units of time 
Undetected 

Confidentiality of information 

Compromise detected on occurrence 
Compromise detected after n units of time 
Compromise undetected 

♦The unit of time can vary from microseconds to years. The criticality of 
n is determined by the information dependent process in each particular 
case 

Although only at three levels of complexity this sample taxonomy rapidly becomes unwieldy. 
Complexity grows at the next level as each of these conditions can be the result of accident or 
caused by deliberate intent. In many cases it may be impossible to determine which led to the 


condition. At the next level deliberate intent can be carried out by an exterior actor, an insider 
with authorized access to the information or information services use in an information 
dependent process, or by both internal and external actors may be working in concert. Then there 
is the factor of time. If the failure was detected only after n units of time had elapsed, the affects 
that matter cannot be generalized but rather are unique to a specific information dependent 
process. The introduction of process-dependent timing takes us back to the earlier infinite 
variety of processes which has already been rejected as a basis for a taxonomy. 

But to press on with this sample taxonomy, we recognize that all of these events can be arrayed 
in multiple sequences and combinations. There are an infinite combination and permutation of 
such attack methods and countering defenses available for application within the intertwined 
DH/NII/Gn environment. Thus, an attempt to add successive layers to the taxonomy sketched 
out above would explode into incomprehensible complexity. Each element of data; each bit and 
byte of software; each device, whether in a computer at an end-node or along a communication 
path; each waveform; and each person with access to any of the components would have to be 
mapped onto the structure. 

It is just this complexity that is large part of the challenge facing the defender: he cannot know or 
protect against all the possible means of attack to succeed, the attacker needs only to know one 
weakness that the defender has left unprotected or have a weapon that can breech one point in 
defense. This is the imperative for risk management, resilient systems, and robust recovery 
capabilities. Again, although a top-level information warfare taxonomy can be sketched, it does 
not scale to a useful construct. (See the last page of this Appendix for a footnote on complexity.) 

Now the principle reason an information warfare taxonomy is a desired objective is that it adds 
precision to communication. Although the simple taxonomy sketched above does not meet that 
goal, a workable alternative is proposed that can be inserted into existing reporting structures. 

The development of this alternative to a taxonomy has the benefit that it builds on existing 
models from the Joint Publications System. 

Joint Publication 1-03, "Joint Reporting Structure (JRS)," establishes a standard reporting 
vocabulary for the Department of Defense. Joint Publication 1-03.3 establishes the Status of 
Resources and Training System (SORTS)", and provides the general provisions and detailed 
instructions for collecting and preparing data on units of the U.S. Armed Forces and selected 
foreign and international organizations. In practice, the utility of SORTS is not optimum because 
of the timeliness and quality of data submitted. Whether incorporated in SORTS or a stand-alone 
method, an information warfare SORTS-like reporting scheme is needed. 

SORTS functions as the following: 

a. Central Registry of All Operational Units in the U.S. Armed Forces. SORTS is the 
single, automated reporting system within the Department of Defense that provides the National 
Command Authorities (NCA) and the Chairman of the Joint Chiefs of Staff with authoritative 
identification, location, assignment, personnel, and equipment data for the registered units and 
organizations of the U.S. Armed Forces, Defense agencies, and certain foreign and international 
organizations involved in operations with U.S. Armed Forces. The composite registry of all units 
is maintained by the Joint Staff. After initial registration, SORTS is designed to receive reports 
by exception when changes occur. 
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b. Repository of Resource Status of Selected Units. For selected registered units, SORTS 
also provides the condition and level of resources and training. This includes the unit 
commander's assessment of how resources and training levels will affect the unit’s ability to 
undertake its wartime mission. Units report by exception within 24 hours of a change or as 
directed by the Chairman of the Joint Chiefs of Staff. If no change in unit status occurs within 30 
days of report submission, units submit a validation report. 

SORTS contains provisions for reporting various readiness items: 

(a) Overall C-Level (OVERALL) Set. Data in this set include the overall C-Level for the 
unit and the codes for primary, secondary, and tertiary degradation reasons. The overall 
readiness showing how well the unit meets prescribed levels of personnel, equipment, and 
training for the wartime mission for which the unit has been organized or designed is ranked in 
descending order from C-l to C-5: 

C-l. The unit possesses the required resources and is trained to undertake the full 
wartime mission(s) for which it is organized or designed. The resource and 
training area status will neither limit flexibility in methods for mission 
accomplishment nor increase vulnerability of unit personnel and equipment. The 
unit does not require any compensation for deficiencies. 

C-2. The unit possesses the required resources and is trained to undertake most of the 
wartime mission(s) for which it is organized or designed. The resource and 
training area status may cause isolated decreases in flexibility in methods for 
mission accomplishment but will not increase vulnerability of the unit under most 
envisioned operational scenarios. The unit would require little, if any , 
compensation for deficiencies. 

C-3. The unit possesses the required resources and is trained to undertake many, but not 
all portions of the wartime mission(s) for which it is organized or designed. The 
resource and training area status will result in significant decreases in flexibility 
for mission accomplishment and will increase vulnerability of the unit under 
many, but not all, envisioned operational scenarios. The unit would require 
significant compensation for deficiencies. 

C-4. The unit requires additional resources or training to undertake its wartime 

mission(s), but it may be directed to undertake portions of its wartime mission(s)) 
with resources on hand. 

C-5. The unit is undergoing a Service-directed resource action and is not prepared, at 
this time, to undertake the wartime mission(s)) for which it is organized or 
designed. 

(b) Personnel Level (PERSONEL) Set. Data in this set include the personnel level CP- 
level) and a code for the primary reason for degradation in the personnel area. 

(c) Equipment and Supplies On Hand Level (EQSUPPLY) Set. Data in this set include the 
equipment and supplies on hand level (S-level) and a code for the primary reason for degradation 
in the equipment and supplies on hand area. 


(d) Equipment Condition Level (EQCONDN) Set. Data in this set include the equipment 
condition level (R-level) and a code for the primary reason for degradation in the equipment 
condition area. 

(e) Training Level (TRAINING) Set. Data in this set include the training level (T-level) 
and a code for the primary reason for degradation in the training area 

(f) Forecasted Category Level (FORECAST) Set. Data in this set include the forecasted C- 
level for the unit and the date the unit expects to attain that C-level. 

(g) Category Level Limitation (CATLIMIT) Set. Data in this set include the imposed 
maximum C-level for the unit, if any, and the primary resource area causing the limitation. 

An additional category should be added to SORTS specifying at what level of assessment 
scenario the unit is prepared to operate and how this preparedness was assessed using the 
terminology described earlier . 

Joint Pub 1-03.10, "JRS Communications Status," provides for the Defense Information 
Systems Agency to provide near-real-time status information on a serious degradation of the 
Defense Communication System (DCS) via a Communications Spot Report and to provide a 
summary of significant status information on the DCS via a daily Communications Status 
Report. 

These reports should be expanded to include information systems and information services. 
Further, these reports should be used by the military departments, services, combat support 
agencies and the CINCs to report the status of information systems and services. 

Joint Pub 1-03.31, "Preparedness Evaluation System," establishes the CINCs Preparedness 
Assessment Report (CSPAR). These report provide a biennial appraisal of the preparedness of 
the unified and specified commands to accomplish Joint Strategic Capability Plan tasks (both 
supporting and supported) within the constraints of the total apportioned force (Active and 
Reserve). In the CSPAR, each CINC identifies overall strengths and significant deficiencies 
affecting the command's ability to carry out assigned missions and execute the plans produced 
during the most recent planning cycle. In submitting the CSPAR, CINCs are reporting on their 
ability to accomplish a specific task using available capabilities. 

The CINCs should be required to include an assessment of their ability to carry out assigned 
missions at the appropriate assessment scenario level and indicate the process used to determine 
preparedness. 

Joint Pub 1-03 32 1 . "Combat Agency Assessment System," sets forth the guidelines and 
procedures for operating the Combat Support Agency Assessment System (CS AAS), a uniform 
system for reporting to the Secretary of Defense, the commanders of the unified and specified 
commands (CINCs), and the Secretaries of the Military Departments concerning readiness of 
each combat support agency to perform with respect to a war or threat to national security. 

Chairman, Joint Chief of Staff (CJCS)-sponsored exercises provide the principal means of on- 
site evaluation of agency responsiveness in reacting to National Command Authority decisions 
and CINC warfighting requirements. In the event no such exercises are scheduled during the first 
two quarters of even-numbered fiscal years. Joint Staff observers conduct independent site visits 
to each of the combat support agencies. Although the CSPAR is the principal means for the 
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combatant commands to assess agency support. Joint Staff observers may also visit combatant 
command headquarters to discuss overall support, agency supporting plans, and ongoing efforts 
to improve shortfalls. 

These reports should be modified to include an annual assessment of the preparedness of the 
combat support agencies, at a specified assessment level to carry but their mission. The current 
two year schedule currently followed in assessing the readiness of combat support agencies is 
not realistic in an age of information warfare. The information dependent processes of these 
agencies are directly tied to the ability to mobilize, deploy and sustain the forces. Currently, this 
is an unknown in the age of information warfare. 

Joint Pub 3-10.1, "Joint Tactics, Techniques, and Procedures for Base Defense," categorizes 
threats to bases in the rear area by the levels of defense required to counter them. Emphasis on 
specific base defense and security measures may depend on the anticipated threat level. (These 
threat levels are discussed in detail in Joint Pub 3-10.) 

a. Level I threats can be defeated by base or base duster self-defense measures. 

b. Level H threats are beyond base or base cluster self-defense capabilities but can be 
defeated by response forces, normally military police (MP) units assigned to area 
commands with supporting fires. 

c. Level HI threats necessitate the command decision to commit a Theater Contingency 
Force. Level ID threats, in addition to major ground attacks, include major attacks by 
aircraft and theater missiles armed with conventional weapons or nuclear, biological and 
chemical (NBC) weapons. 

The threat to bases in the rear area should be modified to include information warfare attacks. 

Joint Pub 3-10.1 also spells out Threat Conditions and Responses and states that in combating 
terrorism, bases should use common terrorist threat conditions (THREATCONs), each with its 
specific security measures and required responses. 

Threat assessments are used to determine threat levels, to implement security decisions, and to 
establish awareness and resident training requirements. Threat levels are determined by an 
assessment of the situation using the following six terrorist threat factors: 

(1) Existence. A terrorist group is present, assessed to be present, or able to gain access to a 
given country or locale. 

(2) Capability. The acquired, assessed, or demonstrated level of capability to conduct 
terrorist attacks. 

(3) Intentions. Recent demonstrated anti-U.S. terrorist activity, or stated or assessed intent to 
conduct such activity. 

(4) History. Demonstrated terrorist activity over time. 

(5) Targeting. Current credible information on activity indicative of preparations for specific 
terrorist operations. 

(6) Security Environment. The internal political and security considerations that impact on 
the capability of terrorist elements to implement their intentions. 
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The severity of the terrorist threat is indicated by the designated threat level, assigned through, 
analysis of the above threat assessment factors. Threat levels, and associated factors, are: 

(1) Critical. Factors of existence, capability, and targeting must be present. History and 
intentions may or may not be present. 

(2) High. Factors of existence, capability, history and intentions must be present 

(3) Medium. Factors of existence, capability, and history must be present. Intentions may or 
may not be present. 

(4) Low. Existence and capability must be present. History may or may not be present. 

(5) Negligible. Existence and/or capability may or may not be present. 

The terrorist threat level is one of several factors used in the determination of terrorist THREAT 
CON. Factors that enter into the decision to assign a particular THREATCON and its associated 
measures include threat, target vulnerability, criticality of assets, security resource availability, 
impact on operations and morale, damage control, recovery procedures, international regulations, 
and planned U.S. Government actions that could trigger a terrorist response. 

The terrorist THREATCON system provides a common framework to facilitate inter-Service 
coordination, support U.S. military anti-terrorist activities, and enhance overall DoD 
implementation of U.S. Government anti-terrorist policy. THREATCONs are described below: 

(1) THREATCON NORMAL. Applies when a general threat possible terrorist activity 
exists, but the threat warrants a routine security posture. 

(2) THREATCON ALPHA. Applies when there is a general threat of terrorist activity 
against personnel and installations, the exact nature and extent of which are unpredictable 
and circumstances do not justify full implementation of THREATCON BRAVO 
measures. However, base defense forces may have to implement selected measures from 
higher THREATCONs based on intelligence received. Base defense forces must be able 
to maintain the measures in this THREATCON indefinitely. 

(3) THREATCON BRAVO. Applies when an increased and more predictable threat of 
terrorist activity exists. Base defense forces must be able to maintain the measures of this 
THREATCON for weeks without causing undue hardship, without affecting operational 
capability, and without aggravating relations with local authorities. 

(4) THREATCON CHARLIE. Applies when an incident occurs or when intelligence 
indicates an imminent terrorist action against U.S. bases and personnel. Implementation 
of measures in the THREATCON for more than a short period probably will create 
hardship and affect peacetime activities of the unit and its personnel. Sustaining this 
posture for an extended period probably will require augmentation. 

(5) THREATCON DELTA. Applied in the immediate area where a terrorist attack has 
occurred or when intelligence has been received that terrorist action against a specific 
location is likely. Normally, this THREATCON is declared as a localized warning. 

The description of threat levels, threat assessments, severity of threat, and threat condition found 
in Joint Pub 3-10.1 is a good model for information warfare defense preparation, assessment, 
and warning. 
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Finally, Joint Pub 3-54, "Joint Doctrine for Operations Security," Change 1, Appendix E, 
outlines procedures for Operations Security (OPSEC). These surveys in general: 

a. Thoroughly examine an operation or activity to determine if adequate protection from 
adversary intelligence exploitation exists. 

b. Check on how effective the OPSEC measures the operation or activity being surveyed in 
protecting protect its critical information. 

c. Cannot be conducted until after an operation or activity has at least identified its critical 
information for without a basis of identified critical information, there can be no specific 
determination that actual OPSEC vulnerabilities exist. (This is also true in information warfare.) 

Each OPSEC survey is unique. Surveys differ in the nature of the information requiring 
protection, the adversary collection capability, and the environment of the activity to be surveyed 

a. In combat, a survey's emphasis must be on identifying operational indicators that signal 
friendly intentions, capabilities, and/or limitations and that will permit the adversary to counter 
friendly operations or reduce their effectiveness. 

b. In peacetime, surveys generally seek to correct weaknesses that disclose information 
useful to potential adversaries in the event of future conflict. Many activities, such as operational 
unit tests, practice alerts, and major exercises, are of great interest to a potential adversary 
because they provide insight into friendly readiness, plans, crisis procedures, and C2 capabilities 
that enhance that adversary’s long-range planning. 

OPSEC Surveys are not Security Inspections: 

a. OPSEC surveys are different from security evaluations or inspections. A survey attempts 
to produce an adversary's view of the operation or activity being surveyed. A security inspection 
seeks to determine if an organization is in compliance with the appropriate security directives 
and regulations. 

b. Surveys are always planned and conducted by the organization responsible for the 
operation or activity that is to be surveyed. Inspections may be conducted without warning by 
outside organizations. 

c. OPSEC surveys are not a check on the effectiveness of an organization's security 
programs or its adherence to security directives. In fact, survey teams will be seeking to 
determine if any security measures are creating OPSEC indicators. 

d. Surveys are not punitive inspections, and no grades or evaluations are awarded as a result 
of them. Surveys are not designed to inspect individuals but are employed to evaluate operations 
and systems used to accomplish missions. 

e. To obtain accurate information, a survey team must depend on positive cooperation and 
assistance from the organizations participating in the operation or activity being surveyed. If 
team members must question individuals, observe activities, and otherwise gather data during the 
course of the survey, they will inevitably appear as inspectors, unless this nonpunitive objective 

is made clear. 

f. Although reports are not provided to the surveyed unit's higher headquarters, OPSEC 
survey teams may forward to senior officials the lessons learned on a nonattribution basis. The 
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senior officials responsible for the operation or activity then decide to further disseminate the 
survey's lessons learned. 

There are two basic kinds of OPSEC surveys: command and formal. 

a. A command survey is performed using only command personnel and . on events within 
the particular command 

b. A formal survey requires a survey team composed of members from inside and outside the 
command and will normally cross command lines (after prior coordination) to survey supporting 
and related operations and activities. 

c. Both types of surveys follow the same basic sequence and procedures. 

Although Joint Pub 3-54 is scheduled to be rewritten, it is quoted extensively as another 
possible model for conducting information warfare assessments. The assessment methodology 
cited at the beginning of the annex should yield more rigorous conclusions. 

By adopting concepts from each of the Joint Pub sources cited above a standard vocabulary of 
status reporting, tied to specific information dependent processes, can be developed for 
information warfare. Such an assessment and reporting system should be developed that stands 
on its own for use in civil agencies and the commercial sector. Within the Department of 
Defense this may be more easily achieved by making suitable modification of the several 
portions of the Joint Reporting System. 

In the case of information warfare, as in the terrorism example above, a range of standardized 
threat scenarios should be promulgated for use in conducting preparedness surveys, as 
standardized assessment conditions for planning purposes, and a set of standardized threat 
warnings or THREATCONS. if warning is available. 

Whatever schema is used to evaluate the operational readiness of information dependent 
processes and activities, it must be timely and reflect the current state of the security policy being 
implemented, the supporting infrastructures (computers, communications, electricity and other 
supporting utilities) and the training status of the personnel, both systems administrators and 
users of information and information systems. 


Complexity Footnote: 


A military example of how the complexity builds is found in command and control warfare 
(C2W). The U.S. military defines C2W as an application of information warfare in military 
operations. 

The execution of C2W involves the integrated use of some or all of the tools of psychological 
operations (PSYOP), military deception, operations security (OPSEC), electronic warfare (EW), 
and physical destruction, mutually supported by intelligence, to deny information to, influence, 
degrade, or destroy adversary C2 capabilities while protecting friendly C2 capabilities against 
such actions. Again, these are just means to carry out information warfare in a particular military 
environment. 

Defensive tools called out in Joint Pub 6.0, Doctrine for C4 Systems Support to Joint Operations, 
include: 

(1) Physical security of facilities, 

(2) Personnel security of individuals authorized access to systems, 

(3) Operations security (OPSEC) procedures and techniques protecting operational 
employment of C4 system components, 

(4) Deception, deceiving the adversary about specific system configuration, operational 
employment, and degree of component importance to mission accomplishment, 

(5) Low probability of intercept (LPI) and low probability of detection (LPD) capabilities 
and techniques designed to defeat adversary attempts to detect and exploit 
transmission media 

(6) Emissions control procedures designed to support OPSEC and LPI/LPD objective, 

(7) Transmission security capabilities designed to support OPSEC and LPI/ LPD 
objectives, 

(8) Communications security (COMSEC) capabilities to protect information transiting 
terminal devices and transmission media from adversary exploitation, 

(9) Computer security capabilities to protect information at rest, being processed, and 
transitioning terminal devices, switches, networks, and control systems from intrusion, 
damage, and exploitation, 

(10) System design and configuration control (e.g., protected distribution systems, 
protection from compromising emanation (TEMPEST)) to mitigate the impact of 
information technology vulnerabilities, and 

(11) Identifying technological and procedural vulnerability analysis and assessment 
programs. 

To this list can be added nonrepudiation, identification and authorization, end-user use of 
encryption services, transmission encryption, replication, and a host of other techniques to 
protect various elements of the information infrastructure. As in the case of C2W, these are tools 
and in themselves, they are not information warfare. 
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appendix d 

ORGANIZATIONAL MODELS 




D.l CENTERS FOR DISEASE CONTROL AND PREVENTION 


Surveillance, Research, Prevention Efforts In The Area Of Infectious Diseases: 

Applicability Of CDC Experience To A 
National Center For Information Systems Security 


D.1.1 Introduction 

In the United States, the threat of infectious disease is changing rapidly in conjunction with 
dramatic changes in global society and environment. Worldwide, there is explosive population 
growth with expanding poverty and urban migration which, with rapid environmental changes, is 
resulting in the emergence of new and the reemergence of previously controlled infectious 
diseases; international travel is increasing so that infectious microbes can easily travel across 
borders with their human or animal hosts. Diseases that arise in other parts of the world are 
repeatedly introduced into the United States, where they may threaten our national health and 
security. 

The threats to the U.S. Information Technology (IT) infrastructure bear similarities to the 
emerging infectious disease threat to public health. In particular, the context of Information 
Warfare Defense is parallel to that in public health. IT infrastructure growth, changing 
technology and increasing network interconnectivity correspond to global population growth, 
environmental change and increased travel. The U.S. Government approach to the increasing 
public health threat, led by the Centers for Disease Control and Prevention (CDC), can provide 
lessons in responding to national IT security threats. 

D.1.2 Background and Legislative History 

The Centers for Disease Control and Prevention (CDC) is an agency of the Public Health 
Service, in the Department of Health and Human Services. Its mission is to promote health and 
quality of life by preventing and controlling disease, injury, and disability. As the nation's 
prevention agency, the CDC accomplishes its mission by working with partners throughout the 
nation and the world. 

The CDC formally came into being in a department reorganization in 1980. In 1993, the 
organization officially became known as the Centers for Disease Control and Prevention, but the 
commonly known abbreviation CDC remained. 

The CDC traces its beginnings to 1946 when the Communicable Disease Center was established 
as a Field Station of the Bureau of State Services in the Public Health Service. It took over the 
offices and some responsibilities of the DoD’s Office of Malaria Control which was being 
disestablished. The primary mission was to work with the States in tracking and controlling the 
spread of communicable diseases in the United States. 
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The Center grew out of the general authority granted to predecessor organizations of the 
DeoSment^Health and Human Services (HHS) That is, no specific legislation w^ required 
for its establishment. However, it is noteworthy that in 1893 Congress 
municipal authorities report information weekly about the incidence of certain diseases to the 
Public Health Service. Currently, CDC general authority flows through the generai auth ty 
aiven to the Secretary for Health and Human Services. Funding for studies on specific program 
such as lead poison^g prevention, HIV, and breast cancer prevention are contained in various 

legislative acts. 

CDC supports surveillance, research, prevention efforts, and training in the area 0 ^ 0 ^ 
diseases through its National Center for Infectious Diseases (NCID). Created in 1981, NCID 
2ZSS To die prevention and condo! of traditional, new. and reemerging infecnous diseases 

in the United States and around the world. 

NCID accomplishes its mission of preventing illness and death from infectious diseases by 
focusing its resources in five areas: 




Surveilhuice Of Infectious Diseases, In Collaboration With State And Local Health 
Departments 

Epidemiological And Laboratory Research 

Formulating, Disseminating, And Evaluating Prevention And Co ^ol Strategies^ 

Training And Consultation Programs In Cooperation With Other CDC Units And Outs 
Agencies And Organizations 

D.1J Concept of Operations: The CDC Approach to the Global Threat of Infectious 
Disease 

NCID Surveillance Activities 

NCID collects analyzes, and interprets reports of nationally notifiable infectious diseases and 
ouTcTSLtJby state and local public health agencies and era *e fmdmgs^In 

addition to this traditional form of surveillance, the center uses s 

systems to monitor trends in infectious diseases of public health importance. These systems 
include laboratory-based surveillance; population-based active surveillance; sentinel phystcran 
rmoto hS-based networks for surveillance of infections; analyses of nattontd datatees, 
and^setraurveys and studies of special populations and settings. The Center also collaborates 
wid, international organizations and agencies in the global surveillance of selected pathogens. 

Partnerships 

NCID provides epidemiological, microbiologic, and consultative services to federal agencies 
stateand local health departments, medical and biomedical science institutions, schools of public 
health, health care providers, and the World Health Organization (WHO) and other international 

agencies. 
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D.1.4 Appropriate Analogies/Examples in the National Responses to the Threat of 
Infectious Disease 

The similarities that the threats to the U.S. Information Technology (IT) infrastructure bear to the 
emerging infectious disease threat to public health suggest that the CDC experience can provide 
lessons in responding to national IT security threats. Below are elements of the CDC approach to 
the threat to U.S. public health which appear to apply to any formulation of a response to IT 
threats. 

Formulating a National Strategic Response Plan 
CDC’s NCDD strategic plan of 1994 has identified need to: 

• improve public health infrastructure at local, state and national level 

• recognize the global nature of the problem 

• institute global surveillance. 

The Plan’s goals are: 

Goal I - Surveillance: Detect, promptly investigate, and monitor emerging pathogens, the 
diseases they cause, and the factors influencing their emergence. 

Goal II - Applied Research: Integrate laboratory science and epidemiology to optimize public 
health practice. 

Goal HI - Prevention and Control: Enhance communication of public health information about 
emerging diseases and ensure prompt implementation of prevention strategies. 

Goal IV - Infrastructure: Strengthen local, state, and federal public health infrastructures to 
support surveillance and implement prevention and control programs. 

Similarly, the Federal Government must have a strategic plan to respond to the increasing IT 
threat, a plan to: 

• improve IT infrastructure security at the national level, 

• recognize the ubiquitous nature of the problem and 

• institute national (and even global) surveillance. 

The goals of such a plan could be expected to closely parallel those of CDC’s NCID strategic 
plan: 

Goal I - Surveillance: Detect, promptly investigate, and monitor Information Technology 
Inf rastructure threats, and the factors influencing their occurrence.a national consortium of IT 
providers and users to promote rapid interchange of event occurrence information a near real 
time monitoring and assessment function 
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Goal H - Applied Research: Integrate private industry, standards tody and R&^ITn'sMmity 1 
and development to optimize public and private secunty practtce. Support R&D m IT secumy. 
Establish effectiveness studies and disseminate results 

standards. 

Goal IV - Infrastructure-. Strengthen national and international 

surveillance and implement prevention and control programs. Promote establishment o 

training 

Establishing an Information Exchange Infrastrucmre 

The Information Network for Public Health Officials (INPHO) was initiated by the Centers for 

~ t0 develop mpHO projects 

for their own public health needs. 

harei^l^re^y^c^^onmclfof^^uth^tatW^^h^c^^nfomation^y^^dmktentify 

health dangers, mlMo^aunicatioiK^nd'compuner' 

^XtogwITtlteand community public health practitioners new command over information 
resources. 

that are critical to achieving these goals. 

There are three essential ^^^eTin^Ioc'^ c^fni'cs^ M^^r^federal h^th 313 

tgenS! hospitals, mZiged cafe organizations and odrer providers, elrmrnaung geograph, c and 
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bureaucratic barriers to communication and information exchange. Public health practitioners 
have unprecedented electronic access to health publications, reports, databases, directories, and 
other information. High speed communications capacity enables them to communicate and 
exchange data locally and across the nation on the full universe of public health issues. (The 
INPHO is described further in Attachment 1.) 

Similarly, the Federal Government might promote or sponsor systematic information and data 
exchange among national, state and local IT users and providers to respond to the increasing IT 
threat. 

Convening an Inter-Agency Working Group to Recommend U.S. Government Actions 

A U.S. Government interagency working group was convened on December 14, 1994, to 
consider the global threat of emerging and re-emerging infectious diseases. The working group 
was established under the aegis of the Committee on International Science, Engineering, and 
Technology Policy (CISET) of President Clinton’s National Science and Technology Council. Dr. 
David Satcher, the Director of the Centers for Disease Control and Prevention (CDC), chaired 
the CISET working group, which included five sub-groups with co-chairs from CDC, the Food 
and Drug Administration (FDA), the National Institutes of Health (NIH), the U.S. Agency for 
International Development (USAID), the Department of Defense (DoD), and the State 
Department. The working group's membership, which included representatives from more than 
17 different Government agencies and departments, reviewed the U.S. role in detection, 
reporting, and response to outbreaks of new and re-emerging infectious diseases and made a 
number of recommendations which are described in Global Microbial Threats in the 1990s , 
published in late 1995 by the President’s National Science and Technology Council. 

As with the National Science and Technology Council’s Government interagency working group 
on the global microbial threat, a multi-agency government advisory panel to recommend U.S. 
Government responses to the IT threat might be appropriate. 

Forming Partnerships for Interaction. Cooperation, and Coordination 

Effective public health policy results from interaction, cooperation, and coordination among a 
wide range of public and private organizations and individuals. Particularly critical to this 
process are CDC's partnerships with state and territorial health departments; other federal 
agencies; professional organizations; academic institutions; private health care providers; health 
maintenance organizations and health alliances; local community organizations; private industry; 
and international partners, including the World Health Organization (WHO) and international 
service organizations and foundations. Each of these partners play an integral role in the 
cooperative efforts required to safeguard the public's health from emerging infectious disease 
threats. 

CDC partnerships at the federal level have been helpful in confronting infectious diseases of 
public health importance in the United States. For example, CDC and NIH developed improved 
diagnostic tests for Lyme disease and various fungal infections. CDC has also worked closely 
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with FDA and USDA in controlling emerging foodbome illnesses. Recent CDC collaborations 
with EPA have been instrumental in recognizing and controlling waterborne outbreaks of 
giardiasis and cryptosporidiosis in several states. 

In addition, CDC has often joined forces with USDA and DoD to control or prevent vector-bome 
infectious disease threats. Such cooperative efforts were used successfully to address potential 
mosquito-bome illness following Hurricane Andrew in Florida and Louisiana in 1992. 

Clear, well-established lines of communication and responsibility between appropriate personnel 
in federal agencies, such as CDC, NIH, EPA, FDA, USDA, DoD, and others, are essential to the 
development of efficient, cost-effective prevention and control strategies. Such links help 
eliminate costly duplication of effort and focus limited federal resources on the early recognition 
and timely control of new infectious disease problems. 

Similarly any U.S. Government effort to meet the IT threat would require active, long-term 
partnerships among Federal agencies and with elements of the IT industry. 

Assume International Leadership 

The CDC is actively promoting U.S. leadership in the development of an international 
partnership to address emerging infectious diseases. This leadership role is a natural one for the 
United States since American business leaders and scientists are in the forefront of the computer 
communications and biomedical research communities that must provide the technical and 
scientific underpinning for disease surveillance. The United States maintains more medical 
facilities and personnel abroad than any other country, in terms of both civilian and military, and 
public and private sector institutions. Furthermore, American scientists and public health 
professionals have been among the most important contributors to the international efforts to 
eradicate smallpox and polio. 

Similar arguments would support U.S. leadership in the formulation of a global response to what 
will surely become a global IT threat. 
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Summary 

To strengthen the public health infrastructure, the Centers for Disease Control and Prevention 
(CDC) initiated the Information Network for Public Health Officials (INPHO). CDC INPHO has 
three goals: (1) to make communication among public health practitioners throughout the United 
States easy, (2) to make information accessible, and (3) to make secure data exchange as swift 
and smooth as contemporary technology will allow. Based on a systems approach to supporting 
the core functions of public health, CDC INPHO achieves its goals by creating a flexible and 
user-responsive infrastructure of open communications and information exchange. 


"Where is the wisdom we have lost in knowledge? Where is the knowledge we have lost in 
information?" T.S. Eliot, The Rock 


Vision and Goals 

The Centers for Disease Control and Prevention (CDC) initiated the Information Network for 
Public Health Officials (INPHO) in 1992 as part of its strategy to strengthen the infrastructure of 
public health in the United States. [1] The vision driving CDC INPHO is that of a new, 
integrated public health information system based on a state-of-the-art telecommunications 
network linking the public health community and providing seamless exchange of information 
(see the box tided, " INPHO: The Vision, the Need, the Basic Concepts "). When fully deployed, 
CDC INPHO will become the common pathway for public health practitioners throughout the 
United States-at the community, state, and national levels alike-to exchange information with 
each other, with CDC, and with colleagues globally. As a result, every public health worker in 
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the United States should be linked to every other public health worker through 
telecommunications technology. 

CDC INPHO has three goals: (1) to make communication easy, (2) to make information 
accessible, and (3) to make secure data exchange as swift and smooth as contemporary 
technology will allow. Achieving those goals will involve a variety of activities in the states, 
depending on the status of their public health information strategy, telecommunications 
networks, end-user priorities, and other factors. Similarly, the CDC role will vary from state to 
state to serve the needs of their public health agencies. All INPHO activities, however, will focus 
on building a common public health information network linking all public health practitioners 
across the nation. 


Why We Need Better Communication 

A particularly insightful way to conceptualize the value of improved public health information 
comes from Harlan Cleveland, author of The Knowledge Executive: Leadership in an 
Information Society.[2] Cleveland makes the distinction between data, information, and 
knowledge. Data are undigested observations and unvarnished facts-basically the raw material 
of public health. Information is organized data. In public health, however, information typically 
is assembled not by the practitioners who are the end users but by others who are often in remote, 
centralized agencies. Knowledge, in turn, is the product of information the end user organizes, 
internalizes, and integrates with everything else she or he knows from experience, study, or 
intuition. Knowledge, ultimately, is the best guide to our practice of public health. What public 
health professionals are interested in is creating access to information that will expand our 
knowledge base and guide our work. 

In thinking about developing an information network for public health officials, CDC focused on 
four critical needs (see the box ): 

* Connecting a fragmented system. Everyone familiar with the Institute of Medicine report on the 
future of public health recognizes its diagnosis that the public health system is in disarray. [3] 

This clearly indicates the need to take action that will [re] connect the elements of the fragmented 
system. One way of doing this is through telecommunications technology. 

* Linking public health professionals. Many public health professionals operate in significant 
isolation. One way to break down isolation is by connecting public health professionals through 
telecommunications technology. Two examples are CDC s WONDER/PC electronic mail and 
forums and the national telecommunications network CDC has created as part of the Public 
Health Leadership Institute. 

* Leading and responding to health reform. Clearly, the public health community is in the 
information business and specifically in the business of providing information to the 
communities that public health serves. 
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* Activating public health for the health reform environment. As health reform advances— 
whether legislated in Washington and the states or propelled by market forces-public health 
needs to ensure that its core functions continue to be performed. 


INPHO: The Vision, the Need, the Basic Concepts 

The Vision 

* An integrated telecommunications network linking the public health 
community and providing exchange of data and information 

The Need 

* Connecting a fragmented system 
* Linking public health professionals 
* Empowering communities with information 
* Leading and responding to health reform 

The Basic Concepts 

* Linkage 

* Information access 
* Data exchange 


Three Key Concepts 

CDC INPHO embodies three concepts key to generating the data, information, and knowledge to 
address the needs outlined above (see the box). Linkage is the first key concept. Here CDC is 
active on several fronts. CDC is working with state and local, health agencies to build local and 
wide-area networks— actual physical construction of networks, supported in some cases through 
outside resources. Second, CDC is expanding "virtual networks" through the use of CDC 
WONDER PC, a software system that allows public health professionals to communicate across 
the globe through electronic mail and that also provides unprecedented access to data and 
information maintained in CDC's large public health databases. [4,5] Third, CDC is emphasizing 
the strategy of connecting to the Internet. CDC encourages each state to identify ways to connect 
with the Internet and have access to the information superhighway. 

In partnership with the Georgia Division of Public Health, CDC is implementing an INPHO 
project to electronically link all parts of the public health system-the state health agency, district 
health departments, and county health departments. CDC is providing those offices access to the 
CDC information bases and other sources of information that the state public health agency and 
its project partners deem valuable. CDC will work with additional states in a similar manner 
beginning in late 1994, emphasizing development of network capabilities and applications 
defined by the states themselves. CDC also is linking its information system initiatives with its 
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Distance Learning Program. A clear linkage exists between the INPHO concept of an 
information network and the notion of a public health training and distance learning network for 

public health professionals. 

The second key concept is information access. CDC generates a large body of information that is 
published in various forms, but not always in the form most accessible to end users. In this 
respect, the CDC INPHO is focused on improving practitioners' access to existing and future 
CDC information bases. The principal approach is to expand the number of information bases 
accessible through the CDC WONDER PC system. Areas that warrant particular mention are (1.) 
The prevention guidelines database, (2.) The training resource directory that will enable public 
health professionals to identify upcoming training offered by CDC and other organizations, and 
(3.) On-line access to the Morbidity and Mortality Weekly Report, complete with tables and 

graphs. 

CDC is not attempting to expand access to information exclusively through the CDC WONDER 
PC system Public health professionals currently access information in many other ways and from 
many other sources that have great value. It is CDC's hope that its own efforts will help public 
health professionals maximize their use of multiple access routes so they can achieve access to 
the information they want as rapidly as possible. 

Exchange of data and information is the third key INPHO concept. Many different types of data 
are involved, among them health status data, health risk information, and particularly data on 
health care services. As the era of health care reform advances, it will be vital for public health to 
have rapid, electronic access to health care services information from personal care providers. 

One important issue is that of automating data entry. Many health departments do not have 
access to automated data entry systems. Protecting personal privacy and ensuring confidentiality 
may be one of the most important issues of all. The structure of the data exchange system also is 
important. Currently, public health has many disparate data systems in place and needs to look to 
a more integrated approach. 

As the era of health care reform advances, it will be vital for public health to have rapid, 
electronic access to health care services information from personal care providers. 

Finally, as health care reform becomes reality, related information systems are being created. It is 
essential that the public health community understand the implications of those systems and 
ensure that they generate information to support and enhance the ongoing core functions of 
population-based health assessment and assurance. 

David Satcher, CDC Director, has identified the obstacles public health faces in fulfilling the 
concept of data and information exchange: 

First, public health agencies at the local, state, and federal levels have a fragmented set of public 
infoimation systems that threaten to overwhelm the capacity of state and local health departments 
to respond to the information needs they face. 
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Second, there is variable access to technology. Some health departments do not have or cannot 
make ready use of the telecommunications technologies that the INPHO project envisions. 

Third, the issue of confidentiality is significant not only as a complex policy issue but also for its 
symbolic, perceptual importance. The American public is legitimately concerned about issues of 
confidentiality. The public health community must address this concern squarely and 
responsively. 

Fourth, public health does not have a wealth of existing integrated systems on which to model its 
own integrated information initiative. The lack of precedents clearly presents an obstacle but, at 
the same time, a professional challenge to "reinvent" public health using a "bootstraps" approach 
that draws on the creativity and energy characteristic of the public health profession. [6] 


CDC Strategies 

How is CDC confronting these obstacles? To address the problem of fragmented information 
systems, Martha Katz, CDC's Associate Director for Policy, Planning, and Evaluation, formed a 
collaborative committee in 1993 that drafted the Report on Public Health Information and 
Surveillance Systems. [7] The report contains a set of recommendations for action toward 
integrated health surveillance and information systems that was issued for review and reaction by 
state and local public health agencies in the spring of 1994. Initial responses were gathered 
during the March 1994 first annual CDC INPHO conference held in Atlanta, Georgia, and 
attended by public health representatives from across the nation. 

CDC is also working with states to support network development and address the obstacle of 
variable access to contemporary technology. The Georgia INPHO project is an invaluable 
prototype for the nation. CDC is mobilizing funding and other resources to help other states 
initiate similar projects that speak to their specific needs. CDC will support "knowledge transfer" 
from Georgia and the succeeding INPHO states. 

In 1994, CDC organized a confidentiality work group and charged it to assess the legal and 
technological dimensions of the issue and to develop recommendations and guidelines for 
protection of confidentiality in the context of integrated information and health surveillance 
systems. 

CDC's approach to dealing with the lack of precedents has two parts. The first is to proceed with 
the state INPHO projects and to learn from their experience. Second, and of equal importance, is 
to learn from the complementary projects that a number of state and local public health agencies 
have underway. These projects focus directly on integrated information systems, data exchange 
across categorical program lines, data exchange with hospitals and managed care providers, and 
other issues integral to the INPHO vision. A key role that CDC can play is to disseminate to the 
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' national public health community the innovations, successes, and lessons learned by innovative 
local and state projects. 


The 1NPHO Project and the Systems Approach 

A central tenet of systems thinking, as represented, for example, in the work of Peter Senge, is 
that today’s solutions create the issues of tomorrow. [8] 

This insight is germane to the CDC INPHO initiative. It cautions that the goal of INPHO should 
not be to increase the sheer volume of data and information available to public health 
professionals. Instead, it is to increase their ability to generate and access the information and 
knowledge they need to guard the health of the public. 

Information overload, already a reality in the lives of many public health professionals, threatens 
to become the leading occupational disease in the 21st century. Unfocused electronic information 
systems are a threat, not a boon, to public health. The rainfall of electronic mail that seeming y 
descends on users' computers overnight is a telling symptom. Surgeon General Joycelyn Elders 
recently remarked that a symptom of information overload is that the quantity of information m 
her professional life sometimes prevents her from enjoying the work that she knows in her heart 
she truly values. 

Confronted with the challenges of the 1990s and the 21st century, the public health community 
ultimately needs wisdom on which to base its decisions and choices of action. Harlan Cleveland 
v defines wisdom as "Integrated knowledge, information made super useful by theory which relates 
bits and fields of knowledge to each other, which in turn enables us to use the knowledge to do 
something." [2 (p.23)] Only the human mind can synthesize wisdom from data and information. 
The vision of CDC INPHO necessarily is more modest. 

The key to building successful, integrated public health information systems is to focus on a 
vision consistent with the core mission and core functions of the profession. CDC INPHO is 
based on a systems approach to supporting the core functions of public health. It does that by 
creating a rich, flexible, and user-responsive infrastructure of open communications and 
V information exchange. The CDC INPHO team is developing specific, valuable software and 
: Com Puter/telecommunications networks. The heart of the initiative, however, is the conceptual 
Rework it provides for truly integrated health assessment and assurance both within the public 
health community and in conjunction with the evolving health care sector. 
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D.2 FEDERAL EMERGENCY MANAGEMENT AGENCY FEDERAL RESPONSE 
PLAN ORGANIZATIONAL MODEL 

FEMA Experience: 

Applicability To The 

National Center For Information Systems Security Assurance 


D.2.1 Background 

FEMA is an independent federal agency with more than 2,600 full time employees: at FEMA 
headquarters in Washington D.C., at regional and area offices across the country, at the Mount 
Weather Emergency Assistance Center, and at the FEMA training center in Emmitsburg, 
Maryland. FEMA also has nearly 4,000 standby disaster assistance employees who are available 
to help out after disasters. Often FEMA works in partnership with other organizations that are 
part of the nation’s emergency management system. These partners include state and local 
emergency management agencies, 27 federal agencies and American Red Cross. 

FEMA's Mission is to provide leadership and support to reduce the loss of life and property and 
protect our nation’s institutions from all types of hazards through a comprehensive, risk-based, 
all-hazards emergency management program of mitigation, preparedness, response and recovery. 

FEMA accomplishes its mission through a very broad range of activities, including: 

• helping equip local and state emergency preparedness... 

• coordinating the federal response to a disaster... 

• making disaster assistance available to states, communities, businesses and individuals... 

• advising on building codes and flood plain management... 

• teaching people how to get through a disaster... 

• training emergency managers...supporting the nation's fire service... 

• administering the national flood and crime insurance programs... 

In particular, FEMA fully or partially funds emergency management programs and staff in all 56 
states and territories, and helps design and equip emergency operations in thousands of localities. 
An important objective of this assistance is effective preparedness through planning. Emergency 
Operations Plans are updated periodically and submitted to FEMA for review. 


D.2.2 Concept of Operations 

The Federal Emergency Management Agency’s Federal Response Plan (for Public Law 93-288, 
as amended) describes FEMA’s Concept of Operations to address the consequences of any 
disaster or emergency situation in which there is a need for Federal response assistance under the 
authorities of the Stafford Act. It is applicable to natural disasters; technological emergencies 


D-18 




involving radiological or hazardous material releases; and other incidents requiring Federal 
assistance under the Act. 

The Response ^ tocal response 

CTta W provision of Federal assistance, the Plan uses a functional approach to 

Other agencies have been designated as support agenc.es foe rate «n» ^ES ^ primary 

:rni^r5»S 

appointed by the Director of FEMA on behalf of the President. 

Federal assistance FCo3dTafS State to 

Sr^rr^ufeme^'rw.,, prov.de Frfera, response assistance based on 
State-identified priorities. 

appropriate ESF headquarters office for further action. 

One or more disasters may affect a number of States and regions concurrently. In those 
instances the Federal government will conduct multi-State response operations, or 

declared Stare, an FCO and 

— Wifi rre^dt — th^pre -Ton Sf resources to supper, the operauons of al, 

of the declared States. 


D.2.3 Legislative History/Authorities 


In 1088 Public Law 93-288 was amended by Public Law 100-707 and retitled as the Robert T. 

Lionel:: r;t^r P "s^ct to save Ls and protect public health, safety, and 
property. 
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In providing response assistance under the Federal Response Plan, Federal departments and 
agencies are covered under the authorities of P.L. 93- 288, as amended. Under P.L. 93-288, the 
President may direct any Federal agency to utilize its authorities and resources in support of State 
and local assistance efforts. This authority has been further delegated to the Director, FEMA, the 
Associate Director, State and Local Programs and Support (SLPS), and to the FEMA Regional 
Directors in carrying out the provisions of the Stafford Act. 

Response by departments and agencies to lifesaving and life protecting requirements under the 
Plan has precedence over other Federal response activities, except where national security 
implications are determined to be of a higher priority. Support from departments and agencies 
will be provided to the extent that it does not conflict with other emergency 

D.2.4 Relationships with Other Government Agencies 

General Information 


Numerous federal agencies and departments are partners in the nation's emergency management 
system. In planning, they participate in training exercises and conduct a variety of activities to 
help the nation prepare for disasters. For example, the Federal Communications Commission 
and the Commerce Department's National Weather Service provide on-going warning and 
disaster tracking services. In a catastrophic disaster, FEMA coordinates the federal response, 
working with 27 federal partners and the American Red Cross to provide emergency food and 
water, medical supplies and services, search and rescue operations, transportation assistance, 
environmental assessment, and more. The National Disaster Medical System is a partnership set 
up to provide emergency medical services in a disaster, involving FEMA, the Department of 
Health and Human Services, the Department of Defense, the Veterans Administration, as well as 
public and private hospitals across the country. 

• National emergency management organizations. Emergency preparedness and response 
requires the efforts of many people. FEMA works in partnership with national 
organizations dedicated to assisting the public in preparation for and response to a 
disaster. FEMA supports the efforts of the National Emergency Management Association 
(NEMA), whose membership includes state emergency managers, and the National 
Coordinating Council on Emergency Management (NCCEM), whose membership 
includes local emergency managers. 

• State emergency management departments. When a disaster overwhelms local resources, 
the task of coordinating response moves to the next level -- the state. States take a leading 
role in response to any large-scale disaster, even those so major that federal assistance is 
requested. FEMA supports the state emergency management in many ways, from funding 
state planning to working directly with state agencies to managing a large-scale response. 

• Local emergency management agencies. Local emergency management programs are the 
heart of the nation's emergency management system. FEMA supports them with funding 
for emergency planning and equipment, by offering training courses for emergency 


managers and firefighters, by conducting exercises for localities to practice their response, 
and by promoting ways to minimize disasters’ effects. FEMA also builds partnerships 
with mayors, county boards and other elected and appointed officials who share 
responsibility for emergency management. 

. Partnerships with the private sector. Disaster requires the full resources of a community 
to help people respond and recover. FEMA encourages all sectors of society - from 
business and industry to volunteer organizations -- to work together in disaster 
preparation, response and recovery. FEMA assists in coordinating activities of a variety 
of players, including private contractors, hospitals, volunteer organizations and area 
businesses. It is through these partnerships of people working together that communities 
are able to put the pieces back together. 


Relationships with Other U.S. Government Agencie s 


The Federal Emergency Management Agency’s Federal Response Plan provides standing 
mission assignments to the designated departments and agencies with primary and support 
responsibilities to carry out Emergency Support Functions (ESFs). Federal departments and 
agencies designated as primary agencies serve as Federal executive agents under the FCO m 
accomplishing the ESF response missions. Upon activation of an ESF, a primary agency is 
authorized, in coordination with the Federal Coordinating Officer (FCO) and the State, to initiate 
and continue actions to carry out the ESF missions described in the ESF Annexes to the Plan, 
including tasking of designated support agencies to carry out assigned ESF missions. 

At the national level, primary agencies are responsible to plan and coordinate with their support 
agencies for the delivery of ESF-related assistance. Primary agencies are responsible for 
preparing and maintaining the ESF annexes and appendices to the Plan to reflect the policies, 
procedures regarding assistance to be provided, and associated responsibilities of the designate 
primary and support agencies. 


Support agencies will assist the primary agencies in preparing and maintaining ESF annexes and 
appendices, developing national and regional operating procedures, and providing support for 

ESF operations. 


EMERGENCY SUPPORT FUNCTION #1: TRANSPORTATION 


The purpose of this Emergency Support Function (ESF) is to provide for the coordination of 
Federal transportation support to State and local governmental entities, voluntary organizations, 
and Federal agencies requiring transportation capacity to perform disaster assistance missions 
following a catastrophic earthquake, significant natural disaster, or other event requiring Federal 

response. 


PRIMARY AGENCY: Department of Transportation 
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SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Defense 

• Department of Energy 

• Department of State 

• General Services Administration 

• Interstate Commerce Commission 

• Tennessee Valley Authority 

• Postal Service 

EMERGENCY SUPPORT FUNCTION #2: COMMUNICATIONS 

The purpose of this Emergency Support Function (ESF) is to assure the provision of Federal 
telecommunications support to Federal, State, and local response efforts following a 
Presidentially declared emergency, major disaster, extraordinary situation and other emergencies 
under the Federal Response Plan. This ESF supplements the provisions of the National Plan for 
Telecommunications Support in Non-Wartime Emergencies, hereafter referred to as the National 
Telecommunications Support Plan (NTSP). 

PRIMARY AGENCY: National Communications System 

SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Commerce 

• Department of Defense 

• Department of the Interior 

• Department of Transportation 

• Federal Communications 

• Commission 

• Federal Emergency Management 

• Agency 

• General Services Administration 

EMERGENCY SUPPORT FUNCTION #3: PUBLIC WORKS AND ENGINEERING 


The purpose of this Emergency Support Function (ESF) is to provide Public Works and 
Engineering support to assist the State(s) in needs related to lifesaving or life protecting 
following a major or catastrophic disaster. 

PRIMARY AGENCY: Department of Defense; U.S. Army Corps of Engineers 

SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Commerce 
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• Department of Energy 

• Department of Health and Human Services 

• Department of the Interior 

• Department of Labor 

• Department of Transportation 

• Department of Veterans Affairs 

• Environmental Protection Agency 

• General Services Administration 

• Tennessee Valley Authority 


EMERGENCY SUPPORT FUN C TION #4: FIREFIGHTI NG 

significant natural disaster or other event requiring Federal response assistance. 

PRIMARY AGENCY: Department of Agriculture; Forest Service 

SUPPORT AGENCIES: 

• Department of Commerce 

• Department of Defense 

• Department of the Interior 

• Environmental Protection Agency 

• Federal Emergency Management Agency 

EMERGENCY SUPPORT F U NCTION #5: INFORMATION AND PLANNIN G 

Information and Planning: collect, process and disseminate ^aUolemmem in 

actual disaster or emergency to facilitate the overall activities of the Federal government 

providing response assistance to an affected State. 

PRIMARY AGENCY: Federal Emergency Management Agency 

SUPPORT AGENCIES: 

Department of Agriculture 
Department of Commerce 
Department of Defense 
Department of Education 
Department of Energy 
Department of Health and Human Services 
Department of the Interior 
Department of Justice 
Department of Transportation 
Department of the Treasury 
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• American Red Cross 

• Environmental Protection Agency 

• General Services Administration 

• National Aeronautics and Space 

• Administration 

• National Communications System 

• Nuclear Regulatory Commission 

EMERGENCY SUPPORT FUNCTION #6: MASS CARE 

The purpose of this Emergency Support Function (ESF) is to coordinate efforts to provide 
sheltering, feeding, and emergency first aid following a catastrophic earthquake, significant 
natural disaster or other event requiring Federal response assistance; to operate a Disaster 
Welfare Information (DWI) System to collect, receive, and report information about the status of 
victims and assist with family reunification supplies to disaster victims following a disaster. 

PRIMARY AGENCY: American Red Cross 

SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Commerce 

• Department of Defense 

• Department of Health and Human Services 

• Department of Housing and Urban Development 

• Department of Transportation 

• Department of Veterans Affairs 

• Federal Emergency Management Agency 

• General Services Administration 

• Postal Service 

EMERGENCY SUPPORT FUNCTION #7: RESOURCE SUPPORT 

The purpose of this Emergency Support Function (ESF) is to provide logistical/resource support 
following a catastrophic earthquake, other significant natural disaster or other event requiring 
Federal response. 

PRIMARY AGENCY: General Services Administration 

SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Commerce 

• Department of Defense 

• Department of Energy 

• Department of Health and Human Services 
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• Department of Labor 

• Department of Transportation 

• Department of Veterans Affairs 

• Federal Emergency Management Agency 

• National Communications System 

• Office of Personnel Management 


^ w 

The purpose of this and 1 

provided under ESF #8 - Health and Medical Services, is drrecied ny P 

and Human Services (HHS) *™ ugh j e (PHS). Resources will be furnished 

srxr— — k *•=- 

requested from the Federal Government. 

PRIMARY AGENCY: Depanmen, of Healdr and Human Services: U.S. Public Healih Service 


SUPPORT AGENCIES: 


• Department of Agriculture 

• Department of Defense 

• Department of Justice 

• Department of Transportation 

• Department of V eterans Affairs 

• Agency for International Development 

• American Red Cross 

• Environmental Protection Agency 

• Federal Emergency Management Agency 

• General Services Administration 

• National Communications System 

• Postal Service 


oun — 

Ph^dR^ resiwn^hKlu^g 0 

t1S.CS. for die immediate medical treatment of vicdms happed m 

lapsed structures. 


PRIMARY AGENCY: Department of Defense 


SUPPORT AGENCIES: 
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• Department of Agriculture 

• Department of Health and Human Services 

• Department of Labor 

• Department of Transportation 

• Agency for International Development 

• Environmental Protection Agency 

• Federal Emergency Management Agency 

• General Services Administration 

EMERGENCY SUPPORT FUNCTION #10: HAZARDOUS MATERIALS 

The purpose of this Emergency Support Function (ESF) is to provide Federal support to State 
and local governments in response to an actual or potential discharge and/or release of hazardous 
materials following a catastrophic earthquake or other catastrophic disaster. 

PRIMARY AGENCY: Environmental Protection Agency 

SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Commerce 

• Department of Defense 

• Department of Energy 

• Department of Health and Human Services 

• Department of the Interior 

• Department of Justice 

• Department of Labor 

• Department of State 

• Department of Transportation 

• Federal Emergency Management Agency 

• General Services Administration 

• Nuclear Regulatory Commission 

EMERGENCY SUPPORT FUNCTION #1 1 : FOOD 

The purpose of this Emergency Support Function (ESF) is to identify, secure, and arrange for the 
transportation of food assistance to affected areas following a major disaster or emergency or 
other event requiring Federal response. 

PRIMARY AGENCY: Department of Agriculture 

SUPPORT AGENCIES: 

• Department of Defense 

• Department of Health and Human Services 

• Department of Transportation 


• American Red Cross 

• Environmental Protection Agency 

• Federal Emergency Management Agency 

EMERGENCY SUPPORT FUNCTION #12: ENERGY 
The purpose of this Emergency Support 

safety, and property, as well as carry out other emergency respons 
PRIMARY AGENCY: Department of Energy 


SUPPORT AGENCIES: 

• Department of Agriculture 

• Department of Defense 

• Department of State 

• Department of Transportation 

• General Services Administration 

• National Communications System 

• Nuclear Regulatory Commission 

• Tennessee Valley Authority 
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ATTACHMENT 1 

COMPENDIUM OF EMERGENCY AUTHORITIES AND DIRECTIVES 

PUBLIC LAW 78-410, "PUBLIC HEALTH SERVICE ACT," SECTION 216, 42 U.S.C. 217 — 

This provision authorizes the President, in time of war or upon Presidential declaration of an 
emergency, to utilize the Public Health Service to the extent and in the manner that in his 
judgment will promote the public interest. 

PUBLIC LAW 78-410, "PUBLIC HEALTH SERVICE ACT," SECTION 311 U.S.C. 243 


This provision authorizes the Secretary of Health and Human Services to develop (and may take 
such action as may be necessary to implement) a plan under which personnel, equipment, 
medical services, and other resources of the Public Health Service and other agencies under the 
jurisdiction of the Secretary may be effectively used to control epidemics of any disease or 
condition, as specified, and to meet other health emergencies or problems involving or resulting 
from disasters or any such disease. 

PUBLIC LAW 78-410, "DEFENSE HEALTH SERVICE ACT," SECTION 319 — 

This provision authorizes the Secretary of Health and Human Services to take appropriate action 
to respond to a "public health emergency" resulting from disease, disorder, or other cause. The 
Secretary must consult with the Director of the National Institute of Health, Administrator of the 
Alcohol, Drug Abuse, and Mental Health Administration, Commissioner of the Food and Drug 
Administration, or the Director of the Center, for Disease Control before determining that an 
emergency exists, and he must act through that official in responding to the emergency. 

PUBLIC LAW 81-774, "DEFENSE PRODUCTION ACT OF 1950, AS AMENDED," 50 
U.S.C. 2061, TITLE I, SECTION 101(a) AND 101(b) — 

This provision authorizes the President to establish performance priorities and to allocate 
materials and facilities to promote the national defense. 

PUBLIC LAW 93-288, AS AMENDED BY PUBLIC LAW 100-707, "ROBERT T. 
STAFFORD DISASTER RELIEF AND EMERGENCY ASSISTANCE ACT," NOVEMBER 
23, 1988 -- 

The Robert T. Stafford Disaster Relief and Emergency Assistance Act, P.L. 93-288 as amended, 
provides an orderly and continuing means of assistance by the Federal Government to State and 
local governments in carrying out their responsibilities to alleviate the suffering and damage 
which result from disasters. The President, in response to a State Governor’s request, may 
declare an "emergency" or "major disaster," in order to provide Federal assistance under the Act. 
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The President, in Executive Order 12148, delegated all functions, except those in Section 301, 

401, and 409, to the Director, Federal Emergency Management Agency (FEMA). The Act 
provides for the appointment of a Federal Coordinating Officer who will operate in the 
designated area with a State Coordinating Officer for the purpose of coordinating state and local 
disaster assistance efforts with those of the Federal Government. 

PUBLIC LAW 95-124, "EARTHQUAKE HAZARDS REDUCTION ACT OF 1977," 42 
U.S.C. 7701 AND 7704 — 

The Earthquake Hazards Reduction Act of 1977, as amended by P.L. 96-472 and P.L. 99-105, 
provides for the establishment of the National Earthquake Hazards Reduction Program (NEHRP) 
to reduce the risk to life and property from future earthquakes in the United States. FEMA is 
designated as the agency with primary responsibilities to plan and coordinate the NEHRP, which 
has five major elements: Hazard Delineation and Assessment; Earthquake Prediction Research; 
Seismic Design and Engineering Research; Preparedness Planning and Hazard Awareness; and. 
Fundamental Seismological Studies. Planning for the Federal response to a catastrophic 
earthquake is a major aspect of Preparedness Planning and Hazard Awareness under the NEHRP. 

PUBLIC LAW 95-313, "COOPERATIVE FORESTRY ASSISTANCE ACT OF 1978" — 

This Act authorizes the Secretary of Agriculture to assist in the prevention and control of rural 
fires through coordination among Federal, State, and local agencies; and to provide prompt and 
adequate assistance whenever a rural fire emergency overwhelms, or threatens to overwhelm, the 
firefighting capability of the affected State or rural area. 

PUBLIC LAW 96-510, "COMPREHENSIVE ENVIRONMENTAL RESPONSE, 
COMPENSATION, AND LIABILITY ACT OF 1980," SECTION 104(i), 42 U.S.C. 9604(i) — 

More popularly known as "Superfund", CERCLA was passed to provide the needed general 
authority for Federal and State governments to respond directly to hazardous substances 
incidents. 

PUBLIC LAW 101-640, "WATER RESOURCES DEVELOPMENT ACT OF 1990," 
TITLE m, SECTION 302, 5(A)(1), NOVEMBER 28,1990 

This Act amends 33 U.S.C. 701n)a)(l) by replacing the term "flood emergency preparation" to 
include "preparation for emergency response to any disaster and includes a provision that The 
emergency fund may be expended for emergency dredging for restoration of authorized projects 
for Federal navigable channels and waterways made necessary by flood, drought, earthquake, or 
other natural disasters." 

UNITED STATES CONGRESS ACT OF JANUARY 5, 1905, AS AMENDED, 36 U.S.C. 


D-29 













The American National Red Cross Congressional Charter assigning the authority and 
responsibility for the American Red Cross to undertake activities for the relief of individuals 
suffering from a disaster. 

COMMUNICATIONS ACT OF 1934, AS AMENDED — 

This Act gives the Federal Communications Commission emergency authority to grant Special 
Temporary Authority on an expedited basis to operate radio frequency devices. 

OLDER AMERICANS ACT OF 1965, AS AMENDED, SECTION 310, 42 U.S.C. 3030 - 


This provision authorizes the Commissioner of the Administration on Aging to reimburse States 
for social services provided to older Americans following a Presidentially- declared disaster. 
FOOD STAMP ACT OF 1977, SECTION 5(h)(1), IMPLEMENTED BY PROPOSED FINAL 
RULEMAKING AT 46 CFR 8922 AND 46 CFR 8923 — 

Authorizes the Department of Agriculture to make food stamps available to low income 
households in any disaster situation in which normal channels of retail food distribution have 
been restored and the existing Food Stamp Program cannot handle applications from affected 
households. Food stamp assistance must be requested by a State. 

INTERSTATE COMMERCE ACT, EMERGENCY RATES, 49 U.S.C. 10724 AND 
11121 TO 11128 — 

These authorities allow the Interstate Commerce Commission (ICC) to authorize a common 
carrier to give reduced rates for service and transportation in an emergency. Further, these 
authorities permit the ICC to suspend any car service rule or practice, take action during 
emergencies to promote car service in the interest of the public and commerce; to require joint or 
common use of facilities when that action will best meet the emergency; to direct preferences or 
priorities in transportation, embargoes, or movement of traffic under permits; and to reroute 
traffic. 

"ROBERT T. STAFFORD DISASTER RELIEF AND EMERGENCY ASSISTANCE 
ACT (P.L. 93-288, AS AMENDED)," IMPLEMENTED BY FOOD DISTRIBUTION 
REGULATIONS, PARTS 250.1(b) AND 250.8(e) — 

These provisions allow any person/household temporarily displaced by a disaster to obtain 
USD A foods in congregate feeding provided by volunteer organizations such as the American 
Red Cross and the Salvation Army; no formal approval is required from USDA. Additionally, 
low income families can receive household distributions of food in situations where a Food 
Stamp Program is not available (e.g., commercial channels of trade are disrupted); formal USDA 
approval is required. 
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cvEr-inTOF ORDER 10480 AS AMENDED, "FURTHER PROVIDING FOR THE 
ADMINISTRATION OF THE DEFENSE MOBILIZATION PROGRAM," AUGUST 14, 1953 - 

Part H of the Order delegates to the Director, FEM A, with authority to redelegate, the priorities 
Nation functions conferred on the President by Title I of the Defense Producuon Act of 

1950, as amended. 

EXECUTIVE ORDER 12148, "FEDERAL EMERGENCY MANAGEMENT," JULY 20, 
1979 — 

Fxecutive Order 12148 transferred functions and responsibilities associated with Federal 
^eraency Management to the Director, FEMA. Assigns the Director, FEMA, the responsibility 
to establish Federal policies for and to coordinate all civil defense and civil emergency planning, 
management, mitigation, and assistance functions of Executive Agencies. 

cvcfi ttTVE ORDER 12472, "ASSIGNMENT OF NATIONAL SECURITY AND 
EMERGENCY PREPAREDNESS TELECOMMUNICATIONS FUNCTIONS," APRIL 3, 198 

Executive Order 12472 establishes the National Communications System ^S)_The NCS 
consists of the telecommunications assets of the entities represented on the NCS * 

Principals and an administrative structure consisting of the Executive Agent, die NCS Committee 

of Principals and the Manager. The NCS Committee of Principals consists of representatives 

from thoL Federal departments, agencies, or entities, designated by the President, wh ‘ ch ' ease 
own telecommunications facilities or services of significance to nauonal security or emergency 

preparedness. 

EXECUTIVE ORDER 12656, "ASSIGNMENT OF EMERGENCY PREPAREDNESS 
RESPONSIBILITIES," November 18, 1988 — 

Assigns emergency preparedness responsibilities to Federal departments and agencies. 

FYFCUnVE ORDER 12657, "FEMA ASSISTANCE IN EMERGENCY 
PREP^^DNKS^L^WDJG AT COMMERCIAL NUCLEAR POWER PLANTS, 

November 18, 1988 — 

Assigns FEMA and other Federal agencies certain emergency planning responsibilities related to 
commercial nuclear power plants. 

KY pn TTTVF ORDER 12777 "IMPLEMENTATION OF SECTION 311 OF THE 
FEDERAL WA^ KdXUTION ACT OF OCTOBER 18, 1972, AS AMENDED, AND THE 
OIL POLLUTION ACT OF 1990," OCTOBER 18, 1991 
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Refers to certain activities of the National Response Team and the Regional Response Team 
under the National Contingency Plan. 

7 CFR, PART 250.1(B)(10)&(11) — 

Refers to Section 409 and 410 b of P.L. 93-288, as amended, Robert T. Stafford Disaster Relief 
and Emergency Assistance Act, which reads, "The Secretary of Agriculture shall utilize funds 
appropriated under Section 32 of the Act of August 1935 (7 USC 612 c) to purchase food 
commodities necessary to provide adequate supplies for use in any area of the United States in 
the event of a major disaster or emergency in such area." 

28 CFR, PART 65, "EMERGENCY FEDERAL LAW ENFORCEMENT ASSISTANCE"; 
FINAL RULE — 


These Department of Justice regulations implement the Emergency Federal Law Enforcement 
Assistance functions vested in the Attorney General by the Justice Assistance Act of 1984 
(Public Law 98-473). Those functions were established to assist State and/or local units of 
government in responding to a law enforcement emergency. The Act defines the term "law 
enforcement emergency" as an uncommon situation which requires law enforcement, which is or 
threatens to become of serious or epidemic proportions, and with respect to which State and local 
resources are inadequate to protect the lives and property of citizens, or to enforce the criminal 
law. Emergencies which are not of an ongoing or chronic nature, such as the Mount Saint Helens 
volcanic eruption, are eligible for Federal law enforcement assistance. Such assistance is defined 
as funds, equipment, training, intelligence information, and personnel. Requests for assistance 
must be submitted in writing to the Attorney General by the chief executive officer of a State. 

The Plan does not cover the provision of law enforcement assistance. Such assistance will be 
provided in accordance with the regulations referred to in this paragraph [28 CFR Part 65, 
implementing the Justice Assistance Act of 1984] or pursuant to any other applicable authority of 
the Department of Justice. 

40 CFR PART 300, "NATIONAL OIL AND HAZARDOUS SUBSTANCES 
POLLUTION CONTINGENCY PLAN" (NCP) — 

The purpose of the NCP is to effectuate the powers and responsibilities for responding to 
nonradiological oil and hazardous substances discharges, releases, or substantial threats of 
releases as specified in the Comprehensive Environmental Response, Compensation and Liability 
Act, as amended, (CERCLA) and the authorities established by Section 31 1 of the Clean Water 
Act, as amended. The plan is required by section 105 of CERCLA, 42 U.S.C. 9605, and by 
section 31 1(c)(2) of the Clean Water Act, as amended, 33 U.S.C. 1321(c)(2). 

44 CFR PART 322, AS AMENDED, "DEFENSE PRODUCTION: PRIORITIES AND 
ALLOCATION AUTHORITY (DMA-3)" — 

The Order delegates the functions of the Director, FEMA, under Title I of the Defense 
Production Act, as amended, to those offices and agencies named in Section 201 of Executive 
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Order 10480 with respect to the areas of responsibility designated and to the Secretary of 
Transportation with respect to priorities and allocations for civil transportation services. 

FEDERAL COMMUNICATIONS COMMISSION REPORT AND ORDER OF 
AUGUST 4, 1981 — 

This order modified parts 2, 90, and 99 of the Commission Rules and Regulations to establish a 
disaster radio response capability for local government and State radio services. 


"FEDERAL RADIOLOGICAL EMERGENCY RESPONSE PLAN 

This document is to be used by Federal agencies in peacetime radiological emergencies It 
p“y concerns the off-site Federal response in support of State and local g ~^with 
jurisdiction for the emergency. The Federal Radiological Emergency Response Plan (FRERP) 
provides the Federal government's concept of operations based on specific authorities for 
responding to radiological emergencies, outlines Federal policies and planning assumptions that 
underlie this concept of operations and on which Federal agency response plans were based, and 
specifies authorities and responsibilities of each Federal agency that may have a significant role 

in such emergencies. 

"NATIONAL PLAN FOR TELECOMMUNICATIONS SUPPORT IN NON-WARTIME 
EMERGENCIES," JANUARY 1992 — 

This plan provides guidance in planning for and providing telecommunications support ,<° r 

Federal agencies involved in emergencies, major dis “ Kr ^ 0 ^ ' 

DEPARTMENT OF DEFENSE DIRECTIVE 3025.1, MILITARY SUPPORT TO CIVIL 

AUTHORITIES (MSCA)," 1992 — 


This directive outlines Department of Defense (DOD) policy on assistance to the civilian sector 
during disasters and other emergencies. Use of DOD military resources tn civil emergency relief 
operations will be limited to those resources not immediately required for the execution of 
primary defense mission. Normally, DOD military resources will be committed as a supp e ™f nt 
to non-DOD resources which are required to cope with the humanitarian and property protection 
requirement caused by the emergency. In any emergency, commanders are authorized to emp oy 
DOD resources to save lives, prevent human suffering, or mitigate great property loss. Upon 
declaration of a major disaster under the provisions of P.L. 93-288, as amended the Secretaij o 
the Army is the DOD Executive Agent, and the Director of Military Support is die action agent 
for civil emergency relief operations. Military personnel will be under command of and direcdy 
responsible to their military superiors and will not be used to enforce or execute civil law in 
violation of 18 U.S.C. 1385 except as otherwise authorized by law. Military resources shall not 
be procured, stockpiled, or developed solely to provide assistance to civil authorities dunng 

emergencies. 


FEDERAL PREPAREDNESS CIRCULAR 8, "PUBLIC AFFAIRS IN EMERGENCIES 


This Circular establishes the Interagency Committee on Public Affairs in Emergencies (ICPAE) 
to coordinate public information planning and operations for management of emergency 
information. The Circular was reviewed in draft by the ICPAE and will receive formal 
department and agency review. 

AMERICAN RED CROSS DISASTER SERVICES REGULATIONS AND 
PROCEDURES, ARC 3003, JANUARY 1984 — 

This document details the delegation of disaster services program responsibilities to officials and 
units of the American Red Cross. Also defined are Red Cross administrative regulations and 
procedures for disaster planning, preparedness, and response. 

AMERICAN NATIONAL RED CROSS MASS CARE PREPAREDNESS AND 
OPERATION PROCEDURES AND REGULATIONS, ARC 3031 — 

This document details the Red Cross mass care preparedness and operating regulations and 
procedures. 

AMERICAN NATIONAL RED CROSS NATIONAL BOARD OF GOVERNORS 
DISASTER SERVICES POLICY STATEMENT, JULY 1, 1977 — 

This document outlines the basic policies of the American Red Cross disaster services program, 
and the disaster relief services to be provided by units of the American Red Cross on a uniform 
and nationwide basis. 

STATEMENT OF UNDERSTANDING BETWEEN THE FEDERAL EMERGENCY 
MANAGEMENT AGENCY AND THE AMERICAN NATIONAL RED CROSS, JANUARY 
22,1982 — 

The statement of understanding between FEMA and the American National Red Cross describes 
major responsibilities in disaster preparedness planning and operations in the event of a war- 
caused national emergency or a peacetime disaster, outlines areas of mutual support and 
cooperation, and provides a frame of reference for similar cooperative agreements between State 
and local governments and the operations headquarters and chapters of the ARC. 
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D 3 NATIONAL DRUG INTELLIGENCE CENTER 


A Quick Look at the National Drug Intelligence Center (NDIC) 
for Lessons Applicable to the Formation of a 
National Defensive Information Warfare Center 


D.3.1 Background and Legislative History 


Dunne the cocaine epidemic of the late 1980s, U.S. public opinion demanded greater Federal 

Government efforts to combat a nationwide drug problem. Members of Congress and I h 

Frerutive Branch both reacted with pronouncements and policy moves. In 1988, the Otttce ot 
Executive Brancn oom reae e Defense Department was given 

fully understood, partially because of the lack of strategic internee regardmg narcott 
or ganizati o ns The National Drug Control Strategy of 1989 noted. 

A comorehensive thrust against drug trafficking enterprises and organizations 
requires a different kind of intelligence....Greater emphasis 
automating this information for law enforcement purposes and analyzing it [and 
Xr dataf to produce a better understanding of the structure and mffastmetute of 
trafficking organizations and their allied enterprises. 

In 1989 and early 1990, the ONDCP negotiated publicly 

rridTS^ "d - establish die 

would be distributed to Federal, State and local officials for use. NDIC 

com™, ler databases coordinate collection and tasking and assess interagency efforts. I he NU«- 

rC“n'Xcy organization to include « " 
c ,• ; An _f t u~ ndic would be the responsibility of the Attorney General, in 
assets. Supe . , s sup p 0rtin g ro le included foreign collection and methodological and 

technical 1 assi stance . The NDIC was envisioned as being a small, efficient organization m 

Washington, DC. 

With the formal “ 

" Center. In the end, after sigmfican, Congressional 
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negotiations and compromise, the NDIC was authorized. The compromise placed the NDIC in 
Johnstown, Pennsylvania, made the DOD the executive authority for the project, and restricted 
the Justice Department role in the Center itself to participation. A summary of relevant key dates 
and legislation is provided in Table l. 1 

D3.2 Concept of Operations 

The multi-agency National Drug Intelligence Center is located in Johnstown, Pennsylvania. It is 
organized with a Director and three Deputy Directors. The Director is a Department of Justice 
position. The Deputy Director for Operations is a DEA position; the Deputy Director for 
Administration is an FBI position; and the Deputy Director for Technology is a DOD position 
currently filled by DIA. The staff of approximately 300 is composed of intelligence analysts 
(from Federal law enforcement agencies [LEAs]), special agents (from DOJ), technical experts 
(from DOD), administrative support, liaison staff from other agencies, and specialized contractor 
support. The Center also has a small liaison office in the Washington DC area to facilitate 
coordination. 

Generally, the Federal LEAs have stand-alone terminals at the Center which can be used to 
receive data released to the Center and send material to the owning agency, but cannot directly 
access agency network systems or databases. However, the Center has made some progress in 
negotiating direct access in some cases. PCs in a designated Operational Research Center allow 
analysts access to open source material such as Reuters, AP, and Nexis/Lexis. Desktop PCs 
throughout the NDIC allow analysts to exchange information among themselves via a LAN, but 
they are not connected outside the facility. Analysts generally focus on specific organizations as 
targets. They correlate and fuse information on crop production and facilities, financial practices, 
chemical sources, transportation and distribution assets, communications and other topics to 
produce strategic organizational drug intelligence (SODI) pertaining to the infrastructure of a 
drug trafficking organization. 

The Center both responds to specific requests for intelligence products and strives to develop and 
maintain a strategic organizational drug intelligence database, library and index system. The 
Center also has a deployable document exploitation team that can assist LEAs with reviewing, 
cataloging, analyzing and exploiting various documents which are seized in drug raids. 

Senior personnel at the Center acknowledge that rivalry among the LEAs — largely as a result of a 
“scoring system” that keys future funding to arrest and prosecution statistics — adversely affects 
the degree of information sharing and coordination that is achieved today. However, they 
indicate a belief in a positive trend as the mutual confidence builds from personal interaction by 
representatives from the different agencies. 


1 This paragraph abstracted from Executive-Legislative Relations in the Creation of the National Drue Intelligence 
Center . Donald J. Carey, LT., U.S. Navy, September 1991. 
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Table 


1986 


1. A Summary of Milestones in Establishing the NDIC 


PL 99-570$ 1.7 Million approved for anti-drug measures. 

1988 

1 l-463Defense Appropriations Bill includes $ 300 Million for narcotics interdiction. 
PL 100-690$ 2.8 Billion £'^req^ 

1989 

| PL 101-164Authorized $ 3.18 Billion in new anti-drug funding 
PL 101-231 Authorized drug fighting assistance for Columbia, Bolivia and Peru 

September 19891989 Drug Control Strategy released 

(December 1989Panama invaded, Gen. Noriega arrested on drug charges 


1990 


January 19901990 Drug control Strategy released 
June 1990Legislation to establish NDIC sent to Congress 
PL 101-51 1FY 1991 Defense Appropriations Act provided $ 10 Million for NDIC m Johnsto 


PL 101 


•515Department of Justice prevented from expending funds 


on NDIC. 


1991 


February 19911991 National Drug Control Strategy released 

„ . Riu Provided $ 40 Million for NDIC 

FY 1992 Defense Appropriations Bin rr 

October 1991 NDIC ^.ned in Johnstown, PA. 
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D.3.3 Relationships Between NDIC and Other Government Agencies 

The NDIC has the responsibility for developing technical and organizational protocols 
(Memoranda of Agreement) required for access to information provided by other organizations. 
Technical protocols specify the hardware and software interfaces to allow NDIC access to the 
Agencies’ information. Organizational protocols, documented in memoranda of agreement, 
specify restrictive procedures for accessing data and assure the protection by NDIC of both data 
source and success as specified by the originator of the information. The other Government 
agencies NDIC is working to establish protocols with to preclude duplication of effort and 
redundancy include: Treasury, U.S. Coast Guard, Immigration and naturalization Service, 
Customs Service, CIA, NSA, FBI, DEA and selected DOD organizations. 

D.3.4 Relationships Between NDIC and International Agencies 

Currently, NDIC has no direct relationships with international agencies such as Interpol or with 
law enforcement agencies of other nations, although they are deemed desirable. At this time, 
such relationships are the closely guarded province of other Federal agencies. This situation 
exists regarding State and local authorities as well — such relationships are the province of the 
Federal law enforcement agencies. 

D3i Observations on Potential Lessons Learned and Pitfalls 

• It is essential to develop a constituency in both the Congress and the Administration in 
order to establish a IW-D Center. 

• A high level advocate who can articulate the need for the Center is essential. 

• There are likely to be concerns regarding the integration of the intelligence community or 
its use in support of a IW-D Center. 

• The preliminary operations concept of the Center needs to allow for Congressional 
compromises regarding physical location. 

• Interagency sensitivities regarding information use and sharing may be nearly as strong as 
those of civilian organizations that may be involved in the Center. 

• Funding for the Center should be as stable as possible through the formative period for 
establishing a capability. 

• High quality “human capital” is a must. 
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E.l INFORMATION INFRASTRUCTURE ASSURANCE PRINCIPLES 

Information assurance is a term which can be used to describe the needed IW-D capabilities (and 
associated protection) of an information infrastructure. Some basic definitions are needed to 
understand the principles: 

• Availability of Service - An assured level of service, capacity, quality, timeliness, and 
reliability. 

• Denial of Service - The opposite of availability of service. 

• Information Integrity - Complete, sound, unaltered, and unimpaired information. 

• Corruption of Information - The opposite of information integrity. 

• Information Assurance - The availability of services and information integrity. 

• Disruption - Denial of service or corruption of information resulting from a single event, 
cause, or source; whether direct or indirect; whether accidental, intentional, rare or 
common. 

• Stress Level - Military situations under which the infrastructure is expected to operate. 
These include: 

Peacetime (natural disasters, sabotage, equipment and service failures, unintentional 
acts) 

- Crisis/mobilization (terrorism, low intensity conflict, conventional war) 

- Simultaneous two-theater engagements 

Limited nuclear war (nuclear terrorism, uncoordinated/accidental, theater nuclear) 

- Expanded nuclear (coordinated attack) 

- Post-attack (recovery and reconstitution). 


In the traditional systems engineering context, availability is a function of the reliability and 
maintainability of the system while integrity of data is a function of the quality (or grade of 
service) of the system transporting the data. In addition, these measures of system performance 
are traditionally based on design assumptions that disruptions are random in nature (e.g., 
component failures, human enrors, and acts of nature). 

Information assurance is not just a function of the reliability, maintainability, and quality of the 
network or infrastructure. Information assurance addresses the capability of an infrastructure to 
endure a variety of disruptions ranging from natural disasters to accidents to intentional 
disruptions by the enemies or by insiders. For example: 

• A lightning strike on a critical node in the network can cause node failure; or, an 
earthquake or hurricane cannot only physically disrupt the network but can also cause 
network congestion, another source of disruption. 
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. W™ of key network management data by a network manager can cause many 

• networlftob^kdown at a critical 

juncture. 

assurance principles. 

There are substantial differences ^tw^^^^^^^^P'^'^J'^f^entioitaTtomptions* 11 ^ 
resilient information infrastructure cap f system components will normally 

typical information system design assu . ■ 0 f individual components. A 

operate properly, with the common failure that S ° me ° f t 
resilient information infrastructure ^“8" - n time A epical information system design will 
components will operate proper y a y P > clocks, and other techniques to use 

incorporate central control ™ echa *^ must be based on some 

resources efficiently. A resilient mf< ^Z^^Tvonions of the infrastructure, 
decentralization of control and mde ^ n , , ** efficienC y while a resilient information 
Information system design is typic y veness . For example, the entire field of fault 

infrastructure design must be base f redundanC y into otherwise efficient systems m 

tolerant computing is disruptions. Simiiarly, the destgn 

order to make them more effec , p * ° hardware and software so that a common 

of a resilient infrastructure will assure dive ty 
failure mode will not result in an infrastructure failure. 

In the context of information assurance, ne^ 0 * op J^^J^J li ng these functions (and 

should be viewed from a differentiate anlong, warn of, respond to, and 

users in some cases), should be able to ’ resu iting from failures or attacks might 

recover from disruptions. Recovery rom m 0 f rese rve assets. In some cases, network 
involve repair, reconstitution, or e P preclude the spread of disruption. Given 

managers may have to isolate por^^^^^^^^gh networks, these capabilities may need to 

SabTet autom^edfomT within the network itself. Finally, there must be some means to 

manage and control these capabilities. 

The underlying philosophy in Monro gw resoles to^nor plate the 

of risk management and not of ns ^ the be defined, that measures be undertaken 

infrastructure. Risk managme^ gg termeasures t0 threat occurrence be based on 

to reduce the realization of the *reat, th ^ ^ ^ from threat occurrences be 

realistic application of resources and P 
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part of the infrastructure. Finally, it will be necessary to assume some degree of risk while 
maintaining some minimum infrastructure operating capability. 

Based on a review of existing documentation, a list of information assurance principles has been 
developed and is presented below. Because the infrastructure and the concept of information 
assurance are still under development, the list is not exhaustive. 

The following operational information is required from CJCS and the Commanders-in-Chief 
(CINCs) of the Unified and Specified (U&S) Commands to quantify some of the principles: 

• Information Transfer Priorities - Priorities for the transfer of voice, data, imagery, and 
video information based on a process developed by the JCS and based on the existing 
process used to establish priorities for voice and messages. 

• Minimum Operating Capability - The minimum set of fixed and deployed capabilities 
required for each stress level, based on operations tempo and forces supported. 

• Normal Operating Capability - A specified set of fixed and deployed capabilities required 
for peacetime and crisis/mobilization stress levels, based on operations tempo and forces 
supported. (In coordination with CJCS and the CINCs, DISA will, in its role as the 
central manager of the DU, specify this set.) 

• Expected Disruptions - The expected level of disruptions to be sustained over time at 
each stress level. (This is normally based on intelligence estimates of enemy capabilities, 
insider threats, natural disasters, and other anticipated causes.) 

• Minimum Assured Resiliency - The capability to sustain a specified number of 
simultaneous, worst-case disruptions at each stress level while still maintaining the 
Minimum Operating Capability. 

• Desired Resiliency - The capability to sustain Expected Disruptions while maintaining a 
Normal Operating Capability. (In coordination with CJCS and the CINCs, DISA will, in 
its role as the central manager of the DH, specify this set.) 


Information Assurance Principles: 

• The infrastructure shall be considered a potential battlefield. 

• The infrastructure shall provide Minimum Resiliency. 

• The infrastructure shall detect substantial disruption, differentiate accidental disruption 
from intentional disruption, provide ample warning of disruption, respond to and recover 
from disruption, and be repairable at a rate sufficient to sustain Minimum Operating 
Capability under Expected Disruptions. 

• The infrastructure shall detect large classes of event sequences that are likely or 
anticipated to lead to disruption and provide mechanisms so that disruptions from these 
events are: 
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. prevented when possible within cost constraints 

. Limited in the extent of their effect when preventton ts not feast e 
. Responded to prior to actual disniption when detected m tune 

Traced to their source whenever possible within cost constraints. 

rrx" 

. SLtrucmre operations, ""^0 ^" 0 "*“" 

assurance capabihties shall be regul: ^ “"g ! pmp^ed “ sts muSt te sim “ la ‘ ed “ 
they perform and operate proper y . \ 0 not un duly degrade the 

— ™“ * reCOnCi,ed ““ 
infrastructure. After testing, expert 

. CXructure shall be 

"STf^d Resiliency specified by DISA. 

• combned force$ 
infrastructures. 

• New infrastructure components shall be designed such that. 

. If they are disrupted, they do not react so as to disrupt neighboring compone 
. Disrupted neighboring components do not disrupt the new component regardless 

W^P^nom^ten^Me^Mantined until they return to normal operating 
. LwL and system management services are notified of disrupt, ons and d-anones. 

. The infrastructure training “* 
&EZXS2-. -d mat ample personnel and resources are 
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available to operate and sustain the infrastructure at the Minimum Operating Capability 
during Expected Disruptions. 

• Sufficient inventory of and/or manufacturing capability for parts, equipment, tools, 
supplies, and support systems shall be maintained to enable operation, repair, and 
reconstitution of the infrastructure under all stress levels. 

• The infrastructure users shall be licensed to operate on the information highway. 
Licensing procedures shall include knowledge of the network, rules of the road, 
information assurance, and incident response processes and capabilities. 

The goal in postulating these information assurance principles is to eventually outline a set of 
specifications (on the order of A-Level specifications) that will shape the design and integration 
of the infrastructure or that can be used as a part of the specifications for the acquisition of 
services from the local and long-distance earners and from information processing vendors. In 
order to bridge the gap between the information assurance principles and a set of specifications, 
it will be necessary to develop strategies for providing the attributes. Some elements that might 
be considered in developing those strategies include: 

• Capacity 

• Diversity 

• Co-location of network components at hardened subscriber sites 

• Provision of uninterruptable power to selected sites 

• Selected redundancy in network components 

• Use of diverse transmission media 

• Redundant network access links for key subscribers 

• Precedence (priority) mechanisms 

• Congestion control mechanisms 

• Transportable reserve assets for reconstitution of damaged portions of the network 

• Infrastructure restoration and reconstitution 

• Multiple inter-network gateways 

• Personal reliability program for network managers 

• End-to-end network control (that does not depend on the network to operate) 

• Scalable infrastructure components 

• Repairability. 

Successful implementation of information assurance will require a multi-disciplinary team 
capable of formulating a comprehensive set of requirements, knowledgeable of current and 
emerging technologies, capable of overseeing the design of the infrastructure from an 
information assurance perspective, and capable of managing the implementation of information 
assurance in the infrastructure. 


£2 “Raise the Bar” Exercise 
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tested, and made operational in (say) 1 8 months, and that the relevant operational staffs are also 
well informed and trained. 

8. Make the recently published NIST Handbook of computer security required reading for all 
personnel associated with the operations, maintenance, installation, design, procurement and 
upgrade of both hardware and software in key [or: all] information systems [Alternate: do this 
initially for all information systems based on COTS; but later, add the embedded systems as well]. 

Make this handbook also required reading for every training or educational course given to 
military personnel. 

9. Survey all acquisitions of information systems and computer-containing weapon systems now 
underway and take such steps as necessary to guarantee that up-front design consideration has 
been given to information assurance, netsec, infosec and opsec. 

10. Compile an inventory of all weapon systems that contain embedded computers and for each, 
define and characterize the line of responsibility, organization(s) and physical locations which 
support the deployed system. Hence, identify vulnerabilities and weak spots that might be 
exploited by an opponent; create plans to remedy these risks on a quick response basis. 

11. Survey all deployed weapon systems that are computer-based with especial attention to all 
phases of maintenance and upgrades of software and hardware and to daily operations. The 
object is to identify places and means by which subversive actions could be taken to degrade or 
perturb weapon performance. The level of effort might be such that candidates for this 
examination will need to be ranked in order of importance and operational vulnerability. 

12. As in item [1 1] but do for all support systems, whether CONUS or field deployed, that are 
not COTS-based but use specialized software and/or hardware. 

13. As in [12] but for COTS-based systems. 

14. Reconsider any/all of the prior suggestions from the point of view of likely geographic, 
cultural and infrastructure circumstances in which U.S. military forces might have to operate in 
the next (say) decade; e.g., SWA, Adriatic theater, mid-East, Korea. Object: to judge whether a 
different prioritization of effort would be suggested or warranted. 

15. Begin an assessment of the civilian-infrastructure aspect of the issue; e.g., identify the 
military bases essential for an OCONUS deployment and do so for several different durations of 
engagement (e.g., weeks, months, years). Identify for each the present arrangements for 
provision of electrical power, of other energy sources, of communications -- especially telephone 
and PSN-based, and of off-base medical, personnel, or commissary requirements. 

16. As in [14], but for long-term overseas bases; e.g., Europe, Japan/Korea/Okinawa. 

17. Any/all of the above for the intelligence systems (sensors, ground stations, antenna farms, 
electronic establishments) rather than for the operational forces and the support structure. 


APPENDIX F 

technology issues 


This appendix further discussion of the 
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Issues developed by Ure Technology Panel are presented in a set of key technology areas for 
Information Warfare Defense, which are grouped as shown. 
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SECURITY & SURVIVABILITY OF NEW AND 
EMERGING TECHNOLOGY 

• ISSUE: 

- SYSTEMS BASED ON CURRENT TECHNOLOGY ARE VULNERABLE 
DUE TO LACK OF ATTENTION TO SECURITY AND SURVIVABILITY 
DURING DESIGN AND DEVELOPMENT 

• RECOMMENDATIONS: 

- INCORPORATE INFORMATION SECURITY EARLY ON IN NEW 
INFORMATION SYSTEMS TECHNOLOGY DEVELOPMENT 

- DEVELOP AND MANDATE USE OF WIDELY ACCEPTED ROBUSTNESS 
STANDARDS (COOPERATIVELY DEVELOPED BY GOVERNMENT & 
COMMERCIAL INTERESTS) 

• COMPONENTS 

• INTERFACE STANDARDS 

• POLICIES, PROCEDURES A PROCESSES 

- COMPLIANCE ASSURANCE 

- CONFIGURATION MANAGEMENT 

- ADMMS1RATIVE OVERSIGHT 

• OPERATIONAL TRAINING 

- REQUIRE VULNERABILITY & COUNTERMEASURE ANALYSIS DURING 
R&D AND SYSTEMS DEVELOPMENT 


SECURITY AND SURVIVABILITY OF NEW AND EMERGING TECHNOLOGY 

Current system vulnerabilities are due in part to lack of attention to security and survivability 
issues during design and development of computing and communicating technologies. Now that 
the collective vulnerability due to dependence on these technologies is recognized, it is equally 
important to recognize the need to address security and survivability concerns in the development 
of new technologies. Security and survivability must be treated as critical requirements in the 
conceptualization and development of new and emerging technologies. While new technology is 
in its earliest conceptual stages, there are unique opportunities to influence developments so as to 
minimize vulnerabilities and strengthen security. 

Information security needs to be incorporated early on in new information systems technology 
development. It is essential that the government and commercial developers of products for 
information systems cooperate in the evolution of common standards for robust products and 
practices. Information security and survivability should be incorporated early on in the 
development of new information systems. It is recommended that significant attention be given 
to stimulating and encouraging this process. Areas where commonality of robustness standards 
and practices should be pursued include: component hardware and software products; security 
interfaces; system management policies, procedures, and processes addressing such issues as 
compliance assurance, configuration management, administrative oversight, and robust systems 
operational training programs. 

Since a significant level of research in the information technology area is funded by the DoD, 
security and survivability should become required aspects of funded programs. In addition, a 
DoD funded research activity should be directed at vulnerability- and countermeasures-oriented 
analyses of new ideas and emerging technologies, and making the results widely available to the 
research community. 
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SURVIVABLE INFORMATION SYSTEMS 
PRINCIPLES 

. FAULT TOLERANT SYSTEMS 

. SSSS2SS^»m»s'» 
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COTS INFORMATION SYSTEM TECHNOLOGY 
EVALUATION CAPABILITY 

• ISSUES: 

- THERE IS GROWING RISK OF VULNERABILITY DUE TO INCREASED RELIANCE 
ON COTS INFORMATION SYSTEM PRODUCTS; ROBUSTNESS & SECURITY 
FEATURES NOT GENERALLY A PRIORITY FOR VENDORS 

• RECOMMENDATIONS: 

- ESTABUSH FOR DoD A COTS INFORMATION SYSTEM TECHNOLOGY 
EVALUATION CAPABILITY TO: 

• IDENTIFY VULNERABILITIES, FIND WORKAROUNDS, AND DISSEMINATE RESULTS 

• HELP DoD BE AN INFORMED BUYER 

• UNDERSTAND RISKS AND HOW TO OPERATE IN FACE OF RISKS 

• SCREEN FOR VIRUSES 

• CONDUCT VULNERABILITY ANALYSES 

• DEVELOP MITIGATION TECHNIQUES FOR EXISTING PROBLEMS 

• EVALUATE INTEGRATED SECURITY ARCHITECTURES 

• PROVIDE RISK ASSESSMEN /ADVISORY SERVICES TO USERS /SYSTEM DEVELOPERS 

• PROVIDE INFORMAL RANKINGS OF COTS INFORMATION TECHNOLOGY PRODUCTS 
TO CREATE A MARKET INCENTIVE FOR VENDORS TO IMPROVE THEIR PRODUCTS 

- DEVELOP LONG RANGE PLAN TO MIGRATE TO A NATIONAL CAPABILITY 

• Note - This is an open-ended problem because the number of COTS products is 
growing rapidly. Funding is identified to develop the basic capability - application 
of it would be distributed. 


COTS INFORMATION SYSTEM TECHNOLOGY EVALUATION CAPABILITY 

Economic pressures are driving the DoD toward use of COTS information systems technology, 
rather than custom mil-spec systems. Unfortunately manufacturers are not motivated to develop 
defensive IW features in their products, since commercial customers generally are not demanding 
them, and such features typically impact performance. Thus the DoD must take special measures 
to insure that the COTS approach provides adequate DIW protection for DoD applications. 

It is recommended that a COTS information system technology evaluation capability be 
established within the DoD, in order to characterize vulnerabilities in COTS products, and to 
develop means for dealing with their deficiencies. Basic DIW performance/certification criteria 
should be developed, focusing initially on DoD needs but conforming to best commercial 
practices insofar as possible. A major long term goal is to foster collaboration with the 
commercial marketplace, and plans should be developed to migrate toward a national joint 
DoD/commercial technology evaluation capability, rather than unilaterally setting rigid DoD 
requirements that ultimately will be resisted or ignored by industry. This organization or set of 
organizations should identify product vulnerabilities, discover workarounds, and disseminate the 
results. The idea is to understand the risks and learn to operate in the face of them. Currently 
many DoD organizations would have to analyze these products themselves; a central facility 
would leverage scarce expertise and save money. Such a center could serve a role like a 
“Consumer’s Union,” and informal rankings of products could be provided, which could act as 
a spur to vendors to improve their products. 

R&D is needed, preferably with joint govemment/industry support and working with both the 
offensive and defensive IW communities, to develop means for identifying product 
vulnerabilities to both established and emerging threats, disseminating information on such 
weaknesses, and developing corrective measures. Such a technology evaluation center should 
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also provide risk assessment/advisory services to system developers and users, perhaps based on 
the current Internet model of cooperation. 

Note - Implementation of this recommendation is not trivial The intent is to develop the 
caDabilitv which will undoubtedly need to be tailored for different products. The 

'(andeven pay for) their system for test. The funding proposed is only for development of the 
capability. 
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MATURITY MODELS 


* ISSUE: 

- LACK of capture and promotion of best security practices 

TO GUIDE ROBUSTNESS IMPROVEMENT IN SYSTEM ACQUISITION, 
ENGINEERING, AND MANAGEMENT 


• RECOMMENDATIONS: 

- DEVELOP MATURITY MODELS FOR ROBUSTNESS AND SECURITY 
(BUILD ON SOFTWARE & SYSTEM ENGINEERING MATURITY MODELS) 

- EXTEND ACQUISITION MATURITY MODEL TO INCLUDE PRACTICES 
FOR IMPROVING ROBUSTNESS OF ACQUIRED SYSTEMS 

- DEVELOP MATURITY MODEL FOR SYSTEM MANAGEMENT PRACTICES 

- RECOGNIZE SYSTEM MANAGEMENT AS A READINESS ISSUE 

- DEVELOP ASSESSMENT METHODS TO SUPPORT EACH MODEL 

- INCLUDE “RED-TEAMING" OF THE MATURITY MODELS 

- DEVELOP TOOLKITS TO AID IMPLEMENTATION OF PRACTICES 

DEFINED BY THE MODELS 

" APPLY MODELS TO ASSESS THE MATURITY TO THE CRITICAL 

NATIONAL INFRASTRUCTURE (E.G, TELECOMMUNICATIONS, ENERGY 
DISTRIBUTION, TRANSPORTATION, ETC.) 




MATURITY MODELS 

The trend toward increased use of commercial off-the-shelf software, open systems and wide 
area networks, is placing the information assets of many organizations at risk. These 
organizations may not be aware of the risks associated with these new environments, and may 
not be aware of the key engineering and network management practices that can be used to 
mitigate the risks. Acquisition and engineering managers lack comprehensive models and 
analytic techniques to evaluate the impact of architectural and other design choices on system 
robustness before major implementation investments have been made. Once networked systems 
are placed into operation, network operators often depend on practices and tools that were 
developed to assure the integrity of proprietary networks that had limited external connectivity 
and that were based on custom-designed software. Integrity assurance techniques developed for 
these restricted environments are not adequate for open, wide area networks or for an 
environment characterized by rapidly changing technologies and threats, and are typically 
focused on classical security issues. 

Organizations that acquire and operate networked systems are in need of models, guidelines and 
tools that are effective at helping them acquire and operate systems that are highly resistant to 
attack, that are able to limit die damage from successful attacks, and that are capable of rapid 
recovery from attack. As missions, technology and threats evolve, these organizations also need 
system robustness assessment methods that allow them to adapt to the changing environment. 
Models, methods, and tools should be developed and refined concurrently to insure that 
management practices are aligned with the technology that supports them. The areas indicated 
below should be addressed. 
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Robustness Engineering Models 

1, is recommended that existing Softwam and Systems Engineering Capability .Maturity Models 
, j j tn ^pcpribe the kev engineering practices and technologies needed to a 

attributes of the delivered systems. 

Robust Systems Acquisition Maturity Model 

custom software, and specifies the use of robustness evaluation for off-the 

Survivable Network Management Model 

P “ toS f ° r rXTvelc 

threat. 

Rut more than a Network Management Model is needed. Automated tools are needed which will 
SS uTagement oflarge, complex, heterogeneous networks, with automated 
enforcement of an organization’s survivability and security management models. 

Robustness Assessment Methods 

T . x pd that robustness assessment methods be designed to allow an organization, 

1 . S K re . . , outs ; de expertise, to analyze its practices against each of the system robustness 

^e” fir the purpose if identifying its current state and developing robustness/survivabrlity 
improvement strategies and plans. The assessment methods must: 
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- be suitable for self-assessment; 

- yield detailed results that tell an organization where it is, where it should be, and how to 
get there; 

- take advantage of a knowledge base that tracks threats and vulnerabilities; and 

- be self-tailoring to the organization being assessed. 

Robustness Improvement Toolkits 

It is recommended that robustness improvement toolkits be developed that provide the tools 
needed to support the assessment methods and the key practices defined by the models. Tools 
must be structured to encapsulate knowledge of system robustness practices to leverage scarce 
human resources in order to help people understand which tools to use for what purposes, and 
promote commercialization of the tools and a community of vendors to extend and maintain 
them over time. 

As these models and practices evolve, it is recommended that they be applied to and evaluated 
for effectiveness against critical elements of the national, information-dependent infrastructure, 
such as energy distribution, telecommunications, and transportation systems. 
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TRAINING OF SYSTEM AND NETWORK ADMINISTRATORS 

■ ISS r» Y' .l <TY « LISUftLLV THE RESULT OF HUMAN ERROR. 

■ " E “r™P TO TRAINING OF SYSTEM AND NETWORK 

ADMINISTRATORS TO FORM SKILLED CADRE 
- ESTABUSH RECOGNIZED CAREER PATH 

. CRITERIA FOR SELECTION AND CERTIFICATION 

. OEVEtoMNraASTOUCTURE FOR SECURITY GAINING 

. TECHNIQUES, CURRICULUM, TOOLS, TEST BEDS 

• exploit simulation technology 


MODELING AND SIMULATION 


* _ CURRENT MODELING AND SIMULATION EFFORTS DO NOT INCLUDE D.W 

: SSrSfssr 

LACKING IN CURRENT SIMULATION 

rehearsal and training, and iw gaming 

JJgJJqy^Jg^jJJIoL^RENTOISTRIBUTEDEnERACTOE SIMULATION 
EFFORTS (COORDINATE WITH DMSO) 





* ISSUE: 


RED TEAMING 


- DIW RED TEAMS ARE NOT USED ROUTINELY IN OPERATIONS & EXERCISES 
RECOMMENDATIONS: 

DIW TECHNOLOGY AND^^R^T^YDEVI^^MEHr PROCE^ PONE ^ S ° F 

’ en^g^S daSag^S ^ 0 RULES OF 

• AnAC D KS V0LNERABIUTV ANALYSIS 4 robustness engineering as well as iw 

• PROVIDE VULNERABILITY ANALYSIS TO THE ANTt-RED TEAM 

• SPECTRUM OF ATTACK SHOULD INCLUDE: 

- DECEPTION, DESTRUCTION, CORRUPTION, AS WELL AS EXPLOITATION 
' f™ ARE AND DATABASE ATTACKS AS WELL AS CONI* / JAMMING ATTACKS 

' Sr ATTACK METHODOLOGIES in addition to applying known 
- develop anti-red team TACTICS / SOPs 

MUST DISTINGUISH RED TEAM PENETRATIONS FROM REAL PENETRATIONS 


RED TEAMING 

Red Teaming is an essential component of the DIW strategy and technology development 
process, but it is recommended that the concept be extended to include vulnerabiltyanalyses as 

Sin y P att it kS o Uring eXperimentaI activities in controlled testbeds and during 

training/planning exercises. The Red Team exercises should be conducted under proper rnles of 

engagement to avoid unnecessary damage or disruption to information systems Th e P 

SnnS “? IT UdliZed by “ ***** Team t0 Perform robustness engineering 

and to plan for fighting the Information War during the exercises as well as during operations. 

SHw 8 Sh f Uld ** I 0 deVe, ° ping new attack methodologies in addition to reuse and 

pp hcation of current attacker techniques. For example, attacks should be designed which 

®2cker A Infn Stem i S f SUrV ’ Vablllty features ’ which must be assumed known to a sophisticated 
1 LT °T lating tbese attack strategies, models should first be developed for system 

vT ItS Jr ^ defenSeS ’ ^ m ° deIs Sh0uld be ^mted in^the attack 
sti-ateg!^. Vulnerability analyses and Red Team attacks should be conducted at the application 

and system level, as well as at the subsystem level, with the goal of uncovering how operations 
can perturbed (e.g., the planning and execution of an air tasking order or the deployment of 
sensors an communication assets), and how supporting communication links, or specific 
computers and network nodes can be compromised. 

In addition to Red Teams, it is recommended that Anti-Red Teams (DIW Teams) be formed and 
tasked to prepare for and fight Red Team attacks. These activities will provide bS 
eve op mg strategies and tools for use during operations to detect and respond to Information 

. . 316 .?? e Antl - Red Team should also be charged with providing inputs to the system 

igners and builders to assure the incorporation of robustness features. Network managers 
s ould be included as part of the DIW teams to assure that damage containment and service 
restoral techniques are effectively exercised as part of the counter-IW operation. 
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COORDINATION AM °^° °"uqencE W ’ 
DEFENSIVE IW, AND INTELLIGENC 


- S DW VULNERABIU^ WSESSME^CO^ , w OFFENSE SIDE 

IMPROVED THROUGH DYNAMIC INTEmx« DEFENSE, AND 

_ lack of information shar»ng^ongoffe vulnebabiut , es 

INTELLIGENCE '™ OD "^™"^cECOUIS> ALL BENEFIT FROM 

_ IW OFFENSE, DIW, AND INTELUGENCECOUUi 

increased coordination 

recommendations: .ntelligence units to play a 

_ require and mo tw ^ 1 i °^a|^ty assessments 

role in evaluatingj^^a b '^^ ive & defensive sides, 

. PROMOTE DYNAMIC INTERPLAY AMONG OP 

tabushanindepe 
fense, and intelu 

SECURE CHANNELS' 

information 

30RDINAT10N AMONG OFFENSIVE IW, DEFENSIVE IW, AND 

to avoid unnecessary vulnerabilities. Hvnamic 

i ^ cnnnort a continuing, dynamic 

I, is recommended that a ^^X^V^nte'mdllell.gence commumties^TOs 
dialogue and interplay among the . offensl , vulnerab ii ity discovers and attack 

activity should include Inembility assessments of emergtng defenstve 
techniques on the one hand, and re 
techniques and technologies on the other 

• fnr facilitating and coordinating this dynamic in rp y. 

To provide an objective mechanism f | e void of vested interests on euher the 

indenendent “ORANGE” team could be form ^ ^ ^ ^ pUy the ro i e of umpire end 

offensive, defensive, or intelligence ^ abiK assessment war gaming acuvines. hi S'iie 
objective score keeper in Ser understanding of die fundamental exploitable 

this type of 3-way interaction will lead 




flaws typically occurring in system and communication software, distributed system architecture, 
communications infrastructure, and system management policies and procedures. This will also 
lead to new tools to address these particular areas of weakness, such as a tool for scanning 
developmental software to uncover design and/or implementation flaws, and leading ultimately 
to more reliable, robust end products. 
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national capability for iw indications and 

* REC SS ONAL CAPABILITY TO PERFORM W .NOTATIONS 

AND m'uSTBEBROAMASED, WITH INDUSTRY , P«VATE / GOVERNMENT 

* ^p^nTooom^ktik^) 

. SCALABLE, WTTH ,NTERF ^^ QF A BBO ADEB SYSTEM TO 

- Ssss. ,=s 


l- 

national capability for iw indications and warning 

At present, no integrated, national capaWUty ^‘“puBr^io^re^ team centers 
progress or preparation. Several civilian d re c OV ery assistance for computer 

have evolved, however, to proYide expert | ^ by hostile actions. There is 

I y Sot^^o"ch anacks before cosdy informatton corruption and networ 

damage occurs. , 

It is recommended that a National ^ from government as 

capable of continuously gathering M ^yzmg sho ^ ld ^ cha rged with searching for and 
well as commercial infrastrucmre coordinated attack an d providing warnings 

detecting early signs and precursors ^ Towards that end, a phased approach is 

to U.S. government and ^ organization which is scalable and extensible and 

recommended, beginning with a DoD spec g or ization . Ro les of the organization 

evolving towards a pan 0 d f P volunlarily contributed data, dissemination of findmgs, 

should include gathering an y feedback and responses from the community, 

and acting as a cleanng house o c ^ cQnducting R&D on techniques and tools for attack 
center should also set Tts foca P • J scale pilot program, an interconnectton of ex.st.ng 

D^eme^ency^espon^centers should be considered. 




ifirfTfgnrr 
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MONITORING AND SURVEILLANCE 

• ISSUE: 

- TECHNOLOGY TO MEASURE AND MONITOR PENETRATIONS AND 
WIDE SCALE ATTACKS ON THE Nil IS INADEQUATE 

• RECOMMENDATIONS: 

- DEVELOP AUTOMATED. DISTRIBUTED. COLLABORATIVE 
MONITORING AND SURVEILLANCE STRATEGY 

- ESTABUSH BROAD-BASED RAD EFFORT TO: 

• CREATE TOOLS TO FILTER NETWORK AUOfT DATA 

• CREATE TOOLS TO DISCRIMINATE BETWEEN NORMAL AND ABNORMAL 
BEHAVIOR, EASILY EXTENDIBLE FOR CHANGING THREATS 

• DEVELOP AUTOMATED. DISTRIBUTED. COOPERATIVE TECHNIQUES FOR 
CORRELATING AND EXPLOITING DATA ACROSS MULTIPLE SITES 

- DEVELOP. EVALUATE AND TRANSITION INTRUSION DETECTION 
TECHNOLOGY TO CRITICAL INFRASTRUCTURE SYSTEMS 

• DEVELOP TECHNIQUES FOR AND INVESTIGATE USE OF COOPERATING 
INTRUSION DETECTION SYSTEMS IN LARGE HETEROGENEOUS 
NETWORKS 

• DEVELOP ANALYSIS AND EVALATION TECHNIQUES FOR INTRUSION 
DETECTION SYSTEMS 

• DEVELOP MODELS TO CHARACTERIZE IW ATTACKS 

♦ DEVELOP TECHNIQUES FOR AUTOMATED RESPONSE TO IW ATTACKS 


MONITORING AND SURVEILLANCE 

Current technology to detect, monitor and characterize local penetrations and wide scale attacks 
on the National Information Infrastructure (Nil) is inadequate. A wide scale, coordinated, multi- 
faceted IW attack on the national information-dependent infrastructure represents a major 
distributed measurement and analysis challenge. In order to detect attacks of such scale and 
likely degree of subtlety, it will be necessary to extract and correlate data across many sites, since 
measurements at any single site may not be sufficient to reveal the emerging overall pattern. The 
types of attack mounted may involve techniques and degrees of sophistication beyond simple, 
standard intrusion detection tactics. 

It is recommended that an investment be made in developing a distributed monitoring and 
surveillance strategy for large scale networks, along with an associated set of supporting network 
architectural and instrumentation principles. Further, it is recommended that a broad based 
research and development effort be established to develop: 1) flexible, field modifiable, trainable 
tools to leverage human network and security administrators in filtering network audit data, 
discriminating between normal and abnormal behavior, and recognizing network attacks; 2) 
applied pattern recognition techniques (e.g., statistical model based, or neural net) capable of 
adaptation, learning and coping with temporal pattern sequences; and 3) techniques and strategies 
for automated, collaborative, distributed pattern recognition and problem solving, supporting the 
correlation and exploitation of data gathered across multiple sites in a large scale network. 

There is a critical need to develop, evaluate and transition intrusion detection technology and 
methodology to critical infrastructure systems, in particular telecommunication systems. To meet 
this need it is recommended that significant R&D efforts be focused in 1.) development and 
investigation of techniques for cooperative intrusion detection in large scale heterogeneous 
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networks characterized by different ^tran ism ^ evalualjon tech niques and standard 

various security policies 2.) dev * °f™ development of models to characterize IW attacks 
metrics for intrusion detection sys*"®^ nse (Q incoming attacks. Such techniques 

^Sr^TSsraded modes of operation, determining attack origin and res, or 
of services. 

Specific emphasis should be ®iv en ^^®^d n ^^^^^|^ t ^ r g”^dus^ries S ^tTvril^hivolve 01 
in realistic scenarios and testbeds. 
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DAMAGE ASSESSMENT 

ISSUE: 

" DAMAGE ASSESSMENT TECHNIQUES ARE INADEQUATE AND 

attacks° VER OR UNDER reaction to 'NFORMATK)N warfare N 

RECOMMENDATIONS: 

2fc*e.?r^ 0MPREHENS,VE DAMAGE ASSESSMENT TECHNIQUES 
/MEASURES THAT ASSESS LOST INFORMATION AND SERVICES AND 
CORRUPTED INFORMATION OR SOFTWARE AND 

- DEVELOP TOOLS TO SUPPORT ASSESSMENT TECHNIQUES 

• DEVELOP MULTIPLE LEVELS OF DAMAGE ASSESSMENT TOOLS- 

APPLICATION, DATA MIDDLEWARE. NETWORKS 

• DEVELOP SECURE LOGGING TOOLS 

• DEVELOP TOOLS THAT IDENTIFY: 

- SCOPE & TIME FRAMES OF INTRUSIONS 

- FAULT/INTRUSION LOCATIONS 

“ SCOP E, TIM E FRAME AND IMPACT OF SERVICE LOSSES 

- CORRUPTED DATA AND SOFTWARE 

- DATA. SOFTWARE. AND SYSTEMS WHICH ARE INTACT 


DAMAGE ASSESSMENT 

l! rd r determine the appropriate response for a detected attack, it is important to correctly 
assess the associated damage. Failure to correctly assess damage could lead to costly over 
reaction (e.g. removing operational systems from service and/or unnecessarily rebuilding 

h ^ or dangerous under reaction (e.g., attempts to continue operations with 
corrupted data and software). Currently, there are no proven methods for reliably assessing the 
extent and nature of damage associated with information warfare attacks. S 

It is recommended that research and associated tool development be pursued with the objective 
of producing acceptable measures and techniques for damage assessment of both technological 
a _ nl ^! neS t S assets - t00,s need to be able to assess damage at multiple levels, from § 

10n .® n f °rks, and to coalesce the results of the assessments at these levels It is also 
recommended that secure logging tools and standard instrumentation packages for damage 
assessment be developed, which can be provided to all DoD sites where they are needed § 
Attenhon will have to be paid to adequately protecting such logs from tampering by an intruder 

shnnlHhT’ Z C f h r ndy Understand 311(1 deal with existin g and potential future damage, it 
puiposeT P ° f damage 3886551116111 10 ,ocate fault/intrusion sites for containment and purging 

^ important sub-problem in damage assessment is to identify information system components 

onerfltvf 111 ** 1 " Undamaged ^ d operational. Those components must be used to continue 
perations, as well as to help in the damage assessment process. Reliable damage assessment 
methods are needed for the information warfare communities and for other government and 
business interests, for a wide range of threats. 
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minimum 


ESSENTIAL INFORMATION INFRASTRUCTURE (MB.) 


NEEDED 


RECOMMENDATIONS: 

*. DEVELOP M4ETVK0BK *' JoRTHEME” BASED ON THE USE OF 

- DEVELOP A RE^^ A ??Jl^^i|LyrAR^TO^XWANGE CRITICAL 

.SSsr 1 * 

JNIMUM essential information infrastructure 

he current information 

Ss 'aTdisS or a ““""J 0 

resources as possible and as needed. d to 

The concept should consider the applications network for use in 

transitioning from F* eam ' 0 '"?™ im Zrumt to execute the transition strategy m the 

information infrastructure. It will be impo 

exercises - tc therefore it is recommended that 

This activity spans gov—, gg “^“^deftne the concept o, an MEH in 
an organization like NMAl.dc 

cooperation with the DoD. 
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COMPREHENSIVE RESEARCH EFFORT 


• ISSUES: 

- A COMPREHENSIVE, UNIFIED R&D EFFORT IS NEEDED IN ARCHITECTURE, ANALYSIS, AND 
SYNTHESIS OF SURV1VABLE INFORMATION SYSTEMS, SIMILAR TO THE EARLIER 
INVESTMENT WHICH ESTABLISHED U.S. PREEMINENCE IN CRYPTOGRAPHY 

- PREVIOUS R&D EFFORTS HAVE FOCUSSED SEPARATELY ON SPECIFIC AREAS (E..G., 
COMPUTER SECURITY, ENCRYPTION, OPERATING SYSTEMS) 

• RECOMMENDATIONS: 

- ESTABLISH A COMPREHENSIVE RESEARCH EFFORT TO SIGNIFICANTLY ADVANCE THE 
STATE-OF-THE-ART IN THEORY. ANALYSIS, & SCIENCE FOR HIGH ASSURANCE SYSTEMS 

• DEVELOP RIGOROUS MATHEMATICAL APPROACHES FOR ANALYZING AND SYNTHESIZING COMPLEX 
INFORMATION SYSTEMS 

• DEVELOP ADVANCED MODELLING & ANALYSIS TECHNIQUES BUILOtNG UPON, BUT EXTENDING 
BEYONO, PRIOR RESEARCH IN FORMAL METHODS; INCLUDE A FOCUS ON FORMAL METHODS WHICH 
CAN CROSS LAYERS Of ABSTRACTION IN A LARGE-SCALE SYSTEM DESIGN 

• DEVELOP TECHNIQUES FOR SYSTEM SYNTHESIS, AND FOR PREDICTING AND EVALUATING 
PERFORMANCE; MCLUDE FORMAL APPROACHES TO DESIGN OF APPROPRIATE SYSTEM TESTS 

- ESTABLISH A BROAD-BASED R&D EFFORT FOCUSSED ON THE DESIGN, MONITORING, AND 
MANAGEMENT OF LARGE SCALE DISTRIBUTED SYSTEMS, INCLUDING: 

• ARCHITECTURES, DESIGN TOOLS, & METHODOLOGIES FOR ROBUST SURVTVABLE DISTRIBUTED 
SYSTEMS 

• TECHNIQUES & TOOLS FOR MONITORING A MANAGING LARGE-SCALE DISTRIBUTE D/NETWORKED 
SYSTEMS 

• TECHNIQUES FOR DE T E C TING LOCAL OR LARGE-SCALE ATTACKS, AND FOR ADAPTATION TO 
SUPPORT GRACEFUL DEGRADATION 

• TESTBEDS AND SIMULATION-BASED MECHANISMS FOR EVALUATMG EMERGING DIW TECHNOLOGY 
AND TACTICS 

- INCENTWIZE INDUSTRY AND ACADEMIA TO PARTICIPATE IN BROAD-BASED R&D EFFORTS 

- ESTABLISH A CROSS-GOVERNMENT EFFORT TO COORDINATE DfW RESEARCH AND 
DEPLOYMENT EFFORTS 


COMPREHENSIVE RESEARCH EFFORT 

The development of robust survivable distributed systems resistant to information warfare attack, 
as well as other types of failure, requires major advances in theory, modeling and technology, and 
the combined efforts of a vigorous research community embracing academia, industry and 
government. Prior R&D efforts have focused on specific areas, such as computer and network 
security, encryption technology, operating system environments with multi-level security 
features, and coping with benign network outages caused by single node failures, etc. Little 
attention has been paid to the ab initio design and implementation of systems capable of 
surviving willful malicious attack, or detecting and tolerating corrupted software. Even less 
attention has been paid to the non-ab-initio case, where the system must incorporate legacy 
subsystems which are not under the designer’s control. A comprehensive research effort is 
required, similar to the earlier investment in cryptographic theory, higher mathematics and 
associated technology, which led to U.S. preeminence in cryptography. The area of robust 
survivable systems offers an opportunity for a unifying theme to constitute a broad-based 
research effort covering the full range of 6.1, 6.2, 6.3 research, to stimulate fresh and/or 
revolutionary ideas and comprehensive problem solutions. 

A fundamental and essential underpinning of any proposed technology base for designing and 
implementing large scale, robust, survivable distributed systems is a science and associated suite 
of design technologies for high-confidence/high assurance systems. Ideally such a set of tools 
would afford designers and implementers a means for describing, constructing and verifying the 
anticipated behavior of a complex system at all levels of abstraction. These design technologies 
must be capable of capturing behavioral descriptions, system properties and design descriptions 
in ways which enable the timely creation and performance validation of a given system 
implementation. Such a capability is needed because it is impossible to either anticipate or 
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of computer networks. 



APPENDIX G 

list of acronyms 


ABIS 
ACTD 
Active X 
Arch 

ASD(C3I) 


C2 

C3 

C3I 

C4I 

C4ISR 

CDR 

CIA 

CINC 

CIO 

CIP 

CJCS 

Conv. 

CONUS 

Coord. 

CSA 

CSAAS 

CSPAR 

Ctr 

DASD 

DCI 

DEPSECDEF 

Des 

DIA 

DE 

DIS 

DISA 

DoC 

DoD 

DoDD 

DoE 


Advanced Battlefield Information System 
Advanced Concepts Technology Demonstration 
See Appendix G, Glossary 

Assistant^ecretary of Defense for Command, Control, 
Communications and Intelligence 
Advanced Technology Demonstration 

Command and Control 

Command, Control and Communications 

Command and Control, Communications, Computer Intelligen 
Surveillance and Reconnaissance 
Commander (USN designation of rank) 

Central Intelligence Agency 
Commander in Chief 
Chief Information Officer 
Critical Infrastructure Protection 
Chairman, Joint Chiefs of Staff 
Conventional 
Continental United States 
Coordination 
CINCs/Service/Agencies 

Combat Support Agency Assessment System 
CjNCs Preparedness Assessment Report 
Center 

Deputy Assistant Secretary of Defense 

Director of Central Intelligence 
Deputy Secretary of Defense 

Design 

Defense Intelligence Agency 
Defense Information Infrastructure 
Defense Investigative Service 
Defense Information Systems Agency 
Department of Commerce 
Department of Defense 
Department of Defense Directive 
Department of Energy 


DoJ 

Department of Justice 

DoT 

Department of Transportation 

EEI 

Essential Elements of Information 

FBI 

Federal Bureau of Investigation 

FEMA 

Federal Emergency Management Agency 

GAO 

Government Accounting Office 

GH 

Global Information Infrastructure 

HUMINT 

Human Intelligence 

I&W/TA 

Indication and Waming/Threat Assessment 

IC 

Intelligence Community 

Info. 

Information 

Intel 

Intelligence 

rr 

Information Technology 

IW 

Information Warfare 

IW-D 

Information Warfare-Defense 

JAVA 

See Appendix G, Glossary 

JWCA 

Joint Warfare Analysis Center 

MEH 

Minimum Essential Information Infrastructure 

Mil Deps 

Military Departments 

NCS 

National Communications System 

NEC 

National Economic Council 

Nil 

National Information Infrastructure 

NRC 

National Research Council 

NSA 

National Security Agency 

NSC 

National Security Council 

NSIE 

Network Security Information Exchange 

NSTAC 

National Security Telecommunications Advisory Board 

Nuc. 

Nuclear 

OCONUS 

Outside of CONUS 

Off 

Office 

OMB 

Office of Management and Budget 

Ops 

Operations 

OSTP 

Office of Science and Technology Policy 

OUSD(A&T) 

Office of the USD(A&T) 

OUSD(P) 

Office of the USD(P) 
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Plan 

PSA 

PSN 


Planning 

Principle Staff Assistant 
Public Switched Network 


Ret. 

SECDEF 

SORTS 

TOR 

Treas 


Retired 


Secretary of Defense 

Status of Resources and Training System 


Terms of Reference 
Department of the Treasury 


United States 

United States Air Force on ^ Technology 

Under Secretary of Detense io 4 

Under Secretary of Defense. omp Readiness 

Under Secretary of Defense for Personnel an 

Under Secretary of Defense for Policy 

United States Navy 

Vice Admiral 


WARM 


War-time Mode 



appendix h 
glossary 


source: Joint Pub ,-02 , 

23 March 1994. The DOD Dictionary o n f Military Departments, Joint Staff, 

mandatory use by the Office of the Secretary DOD and NATO 

combatant commands, and De ense agen ^ Other sources are indicated by 

use are marked with an asterisk within parentheses, i.e., t ). v 
brackets, e.g., [CJCSI 3210.01, 1996]. 

acoustic . 

exploit, reduce or prevent hostile us There are three divisions within acoustic 

retain friendly use of the undewat ®^ e U ^ e$ ^^ t ^peci of acoustic warfare involving 
warfare: 1. acoustic warfare support meas • radiated acoustic energy in water for 

actions to search for. ‘"“rcept locate, ^ “^s“c w^fare support measures involves no 
purpose of exploiting such n0 , detectable by tire enemy. 2. 

intentional underwater acoustic emis g acoustic warfare involving actions taken to 

acoustic warfare counterm^ ^at acousnc spectrum. Acoustic 

prevent or reduce an enemy s . at e.r acoustic emissions for deception and 

warfare countermeasutes involve r “°” of acoustic warfare 

jamming. 3. acoustic warfare use of ^ un Lvater acoustic spectrum 

involving actions taken to ensure fnendly effectweu« o ^ warfaK counBr . 

deSPI ^rre7,n?oNel"” warfare support measures and anti-acoustic warfare 

countermeasures, and ma not involve underwater acoustic ermsstons. 

acoustic warfare counter-countermeasures-See acoustic warfare Part 3. 

acoustic warfare countermeasures-See acoustic warfare Part 2. 

acoustic warfare support measures-See acousnc warfare Part 1 

active air defense(*)-Direct defensive action taken to " r “* U dfnsc weapons, weapons 

Windows-based software). . 

autiair warfare-A U.S. ° 

destroy or reduce to an acceptable level ? ircraft surface-to-air and air-to-air 

mi^es, S ^cm>nk tZSZSSL of the air or missile’ threat both before and after it is 
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launched. Other measures which are taken to minimize the effects of hostile air action are cover, 
concealment, dispersion, deception (including electronic), and mobility. See also counter air. 

antisubmarine operation— Operation contributing to the conduct of antisubmarine warfare. 

antisubmarine warfare(*)-Operations conducted with the intention of denying the enemy the 
effective use of submarines. 

attack assessment— An evaluation of information to determine the potential or actual nature and 
objectives of an attack for the purpose of providing information for timely decisions. See also 
damage estimation. 

biological operation(*)— Employment of biological agents to produce casualties in personnel or 
animals and damage to plants or materiel; or defense against such employment 

biological operation(*)— Employment of biological agents to produce casualties in personnel or 
animals and damage to plants or materiel; or defense against such employment. 

biological warfare-See biological operation. 

C2-protection— See command and control warfare. 

chemical warfare— All aspects of military operations involving the employment of lethal and 
incapacitating munitions/agents and the warning and protective measures associated with such 
offensive operations. Since riot control agents and herbicides are not considered to be chemical 
warfare agents, those two items will be referred to separately or under the broader term 
“chemical,” which will be used to include all types of chemical munitions/agents collectively. 

The term “chemical warfare weapons” may be used when it is desired to reflect both lethal and 
incapacitating munitions/agents of either chemical or biological origin. Also called CW. See 
also chemical operations, herbicide, riot control agent. 

combined warfare— Warfare conducted by forces of two or more allied nations in coordinated 
action toward common objectives. 

command and control warfare— The integrated use of operations security (OPSEC), military 
deception, psychological operations (PSYOP), electronic warfare (EW), and physical destruction, 
mutually supported by intelligence, to deny information to, influence, degrade, or destroy 
adversary command and control capabilities, while protecting friendly command and control 
capabilities against such actions. Command and control warfare applies across the operational 
continuum and all levels of conflict. Also called C2W. C2W is both offensive and defensive: a. 
counter-C2--To prevent effective C2 of adversary forces by denying information to, influencing, 
degrading, or destroying the adversary C2 system, b. C2-protection~To maintain effective 
command and control of own forces by turning to friendly advantage or negating adversary 
efforts to deny information to, influence, degrade, or destroy the friendly C2 system. See also 
command and control; electronic warfare; intelligence; military deception; operations security; 
psychological operations. 

countergpierrilla warfare(*)-Operations and activities conducted by armed forces, paramilitary 
forces, or nonmilitaiy agencies against guerrillas. 


H-2 


damag e estimation-A preliminary appraisal of the potential effects of an attack. See also attack 
assessment. 

directed-energy protective measures-That division of directed-energy warfare involving 
actkmstaken tfprotect friendly equipment, facilities, and personnel to ensure fnendly eftettve 
“Tf the electromagnetic specnum that are threatened by hostile dtrected-energy weapons and 

devices. 

directed-energy warfare-Military action involving the use of directed-energy weapons, 
devices, and JLermeasures to either cause direct damage or destruction of enemy equipment, 
facilities and personnel, or to determine, exploit, reduce, or prevent hostile use of the 
electromagnetic spectrum through damage, destruction, and disruption. It also includes actions 
taken to protect friendly equipment, facilities, and personnel and retain fnendly use of the 
ekctromagnetic spectrum. Also called DEW. See also directed energy; directed-energy device, 
directed-energy weapon; electromagnetic spectrum; electronic warfare. 

directed-energy weapon-A system using directed energy primarily as a direct means to damage 
o^destroy enemy equfpment, facilities, and personnel. See also directed energy; dtrected energy 

device. 

economic warfare-Aggressive use of economic means to achieve national objectives. 

electromagnetic intrusion-The intentional insertion of electromagnetic energy into 
transmission^ paths in any manner, with the objective of deceiving operators or of causing 
confusion. See also electronic warfare. 

electronic warfare-Any military action involving the use of electromagnetic ^ directed 
energy to control the electromagnetic spectrum or to attack the enemy. Also c e _ 
three major subdivisions within electronic warfare are: electronic attack, electronic protection, 
and electronic warfare support, a. electronic attack-That division of elec * 0 ™^ ^ 
involving the use of electromagnetic or directed energy to attack personnel, faci ’ 
equipment with the intent of degrading, neutralizing, or destroying enemy J' f 

Also P called EA. EA includes: 1) actions taken to prevent or reduce an enemy s effective us 
the electromagnetic spectrum, such as jamming and electromagnetic deception and 2) 
employment of weapons that use either electromagnetic or directed energy as their primary 
destructive mechanism (lasers, radio frequency weapons, particle beams), b. electronic 
protection— That division of electronic warfare involving actions taken to protect personnel, 
facilities, and equipment from any effects of friendly or enemy employment of electronic warfar 

that degrade, neutralize, or destroy friendly combat capability. Also called EP. c. electronic 

warfare support-That division of electronic warfare involving actions tasked by, or under dire 
control of, an operational commander to search for, intercept, identify, and locate sources o 
intentional and unintentional radiated electromagnetic energy for the purpose of immediate threa 
recoenition. Thus, electronic warfare support provides information required for imme ia 
decisions involving electronic warfare operations and other tactical actions such as threa 
avoidance, targeting, and homing. Also called ES. Electronic warfare support datacan use 
to produce signals intelligence (SIGINT), both communications intelligence (COMINT), and 
electronics intelligence (ELINT). See also command and control warfare; communications 
intelligence; directed energy; directed-energy device; directed-energy warfare; directed-energy 
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weapon; electromagnetic compatibility; electromagnetic deception; electromagnetic hardening; 
electromagnetic jamming; electromagnetic spectrum; electronics intelligence; frequency 
deconfliction; signals intelligence; spectrum management; suppression of enemy air defenses. 

guerrilla warfare(*)— Military and paramilitary operations conducted in enemy-held or hostile 
territory by irregular, predominantly indigenous forces. See also unconventional warfare. 

indications and warning-Those intelligence activities intended to detect and report time- 
sensitive intelligence information on foreign developments that could involve a threat to the 
United States or allied military, political, or economic interests or to U.S. citizens abroad. It 
includes forewarning of enemy actions or intentions; the imminence of hostilities; insurgency; 
nuclear/non-nuclear attack on the United States, its overseas forces, or allied nations; hostile 
reactions to United States reconnaissance activities; terrorists’ attacks; and other similar events. 

information warfare— Actions taken to achieve information superiority by affecting adversary 
information, information-based processes, information systems, and computer-based networks 
while defending one’s own information, information-based processes, information systems, and 
computer-based networks. [C JCSI 32 1 0.0 1 , 1 996] 

integrated warfare— The conduct of military operations in any combat environment wherein 
opposing forces employ non-conventional weapons in combination with conventional weapons. 

JAVA— An object-oriented, platform-independent programming language, often used to create 
small cross-program executable software applications called applets that are downloaded from 
remote sites and that execute automatically. 

mine warfare— The strategic, operational, and tactical use of mines and mine countermeasures. 
Mine warfare is divided into two basic subdivisions: the laying of mines to degrade the enemy’s 
capabilities to wage land, air, and maritime warfare; and the countering of enemy-laid mines to 
permit friendly maneuver or use of selected land or sea areas. 

naval coastal warfare— Coastal sea control, harbor defense, and port security, executed both in 
coastal areas outside the United States in support of national policy and in the United States as 
part of this Nation’s defense. Also called NCW. 

naval special warfare— A specific term describing a designated naval warfare specialty and 
covering operations generally accepted as being unconventional in nature and, in many cases, 
covert or clandestine in character. These operations include using specially trained forces 
assigned to conduct unconventional warfare, psychological operations, beach and coastal 
reconnaissance, operational deception operations, counterinsurgency operations, coastal and river 
interdiction, and certain special tactical intelligence collection operations that are in addition to 
those intelligence functions normally required for planning and conducting special operations in 
a hostile environment. Also called NSW. 

nuclear warfare(*)— Warfare involving the employment of nuclear weapons. See also postattack 
period; transattack period. 

operations security— A process of identifying critical information and subsequently analyzing 
friendly actions attendant to military operations and other activities to: a. Identify those actions 
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that can be observed by adversary intelligence systems, b. Determine indicators hostile 

intelligence systems might obtain that could be interpreted or pieced together to denve critical 
information in time to be useful to adversaries, c. Select and execute measures that eliminate or 
reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. 

Also called OPSEC. See also command and control warfare; operations security indicators; 
operations security measures; operations security planning guidance; operations security 

vulnerability. 

perception management-Actions to convey and/or deny selected information and indicators to 
foreign audiences to influence their emotions, motives, and objective reasoning; and to 
intelligence systems and leaders at all levels to influence official estimates, ultimately resulting i 
foreign behaviors and official actions favorable to the originator’s objectives. In various ways, 
perception management combines truth projection, operations security, cover and deception, and 
psychological operations. See also psychological operations. 

political warfare-Aggressive use of political means to achieve national objectives. 

psychological operations-Planned operations to convey selected information and indicators to 
foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the 
behavior of foreign governments, organizations, groups, and individuals. The pu^oseof 
psychological operations is to induce or reinforce foreign attitudes and behavior favora 
originator’s objectives. Also called PSYOP. See also perception management. 

psychological warfare-The planned use of propaganda and other psychological actions having 
the primary purpose of influencing the opinions, emotions, attitudes, and behavior of hostile 
foreign groups in such a way as to support the achievement of national objectives. Also called 

PSYWAR. 

strategic air warfare- Air combat and supporting operations designed to effect, through the 
hematic application of force to a selected series of vital targets, the progressive destruction and 
disintegration of the enemy’s war-making capacity to a point where the enemy no longer retams 
the ability or the will to wage war. Vital targets may include key manufacturing systems, sources 
of raw material, critical material, stockpiles, power systems, transportation systerns, 
communication facilities, concentration of uncommitted elements of enemy armed forces, Key 
agricultural areas, and other such target systems. 

tactical warning-1 . A warning after initiation of a threatening or hostile act based on an 
evaluation of information from all available sources. 2. In satellite and missile surveillance, a 
notification to operational command centers that a specific threat event is occurring, e 
component elements that describe threat events are: Country of origin-country or countries 
initiating hostilities. Event type and size-identification of the type of event and determination o 
the size or number of weapons. Country under attack-determined by observing trajectory of an 
object and predicting its impact point. Event time— time the hostile event occurred. A so c e 
integrated tactical warning. See also attack assessment; strategic warning. 

tactical warning and assessment— A composite term. See separate definitions for tactical 
warning and for attack assessment. 
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unconventional warfare— A broad spectrum of military and paramilitary operations, normally of 
long duration, predominantly conducted by indigenous or surrogate forces who are organized, 
trained, equipped, supported, and directed in varying degrees by an external source. It includes 
guerrilla warfare and other direct offensive, low visibility, covert, or clandestine operations, as 
well as the indirect activities of subversion, sabotage, intelligence activities, and evasion and 
escape. Also called UW. 
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Mr i David A. Banisar 

Electronic Privacy Information Center 
666 Pennsylvania Avenue, S.E., Suite 301 
Washington, D.C. 20003 

Dear Mr. Banisar: 

This letter responds to your January 9, 1997, Freedom of 
Information Act (FOIA) request. The telephone conversation with 
Commander Voorhies of this Directorate on January 21, 1997, 
refers . 

As agreed in the telephone conversation with Commander 
Voorhies, the enclosed document is provided as responsive to your 
request. There are no chargeable costs for processing your FOIA 
request in this instance. 


Enclosure : 

As stated 

Prepared by VOORHIES : gjv: 1/22/97 : DFOI : gr pk vl wh 


Sincerely, 



A. H. Passarella 
Director 

Freedom of Information 
and Security Review 


